Shibboleth SP not redirecting to the deep link

Peter Schober peter.schober at
Mon Dec 17 16:58:42 EST 2018

* krrishv <krish.v at> [2018-12-17 22:00]:
> I have configured Shibboleth SP with my apache 2.2. I have a
> application which is reverse proxied for header based
> authentication.

Does the application server not support AJP? Because if it did you
wouldn't need to use HTTP Request Headers.

> ServerName 
> ServerAlias evtswebfiml01 
> ProxyPass /
> ProxyPassReverse /

Note that under real (non-test) conditions the URL would have to be the only way to access
the application, with no direct access to the application allowed.
(I think you'd also need to do that if "UseCanonicalName On" were set,
which is recommended.)

> Now when ever i am doing the authentication with deeplink for example 
> I am expecting it to authenticate with my IDP and redirect to the same link. 
> But what i am seeing is it is redirecting to my IDP and after 
> authentication, It just lands in . Can some one 
> throw light on this?

If you're back with a session (see your logs and/or
/Shibboleth.sso/Session after such a login attempt) things seem to
work sufficiently, modulo RelayState, as Scott said.

What's the IDP implementation involved here? Does it send back
RelayState verbatim as required by the spec? Does your SP send out
RelayState to the IDP as expected?  You can see all of this in your
browser, e.g. using the SAMLtracer extension for Firefox and Chromium.


More information about the users mailing list