Add static/custom attribute with ACS Url

Santu Ghosh mon.snahasish at gmail.com
Thu Feb 8 10:14:00 EST 2018 

​​
Thanks Tom for you response.

Yes SP initiated working perfectly for all partner.
When I hit my SP initited url, ultimatly it redisrects to a url like bellow.

https://xxxxxx.com/shibboleth-sp/saml/login?idp=https://idp.
host.com/idp/shibboleth

Now I am facing a problem with another partner. They are using IDP
initiated flow (we asked them not to continue with IDP initiated but it's
their decision) and try to executing SP's ACS url.

They have configured ACS url like bellow -
https://xxxxxx.com/shibboleth-sp

Now, when IDP server executing above url, we (SP side) receive the request
for idp-discovery in our end but can not proceed because we can
not distinguish their request.

It would be helpful if they can add any extra parameter along with ACS url
so that we can determine from which IDP server the request is coming.
We are expecting an url like this (May be I am wrong)

*https://xxxxxx.com/shibboleth-sp&user=abc
<https://xxxxxx.com/shibboleth-sp&realm=abc>*

Is it possible to configure an url like above for their IDP ACS? And will
that help us to serve our purpose?



Thanks,
Snahasish






On Thu, Feb 8, 2018 at 2:37 PM, Santu Ghosh <mon.snahasish at gmail.com> wrote:

> Thanks Tom for you response.
>
> Yes SP initiated working perfectly for all partner.
> When I hit my SP initited url, ultimatly it redisrects to a url like
> bellow.
>
>
>
>
> On Wed, Feb 7, 2018 at 9:47 PM, Tom Scavo <trscavo at gmail.com> wrote:
>
>> On Wed, Feb 7, 2018 at 4:15 PM, Santu Ghosh <mon.snahasish at gmail.com>
>> wrote:
>> >
>> >>but in an IdP-initiated flow, the IdP can
>> > add whatever RelayState value the SP will understand (presumably by
>> > prior agreement).
>> >
>> > Can you please give me an example how to add an parameter in an ACS url
>> ??
>>
>> Let's back up a bit. First you need to understand how RelayState works
>> in an SP-initiated flow: The SP attaches a RelayState parameter to the
>> redirect URL, which the IdP is REQUIRED to return on the round trip.
>> This is documented in the SAML standard.
>>
>> Presumably the SP includes a RelayState parameter so that it knows
>> where to redirect the user at the very last step of the flow. Are your
>> SPs that support SP-initiated doing this now? If not, I'm not sure why
>> you're concerned with the SP that doesn't support SP-initiated. Either
>> you need RelayState for all of them or none of them.
>>
>> That said, an IdP-initiated flow is inherently non-standard. The IdP
>> could add an arbitrary RelayState parameter to the POST response but
>> the SP may not understand it since the request did not originate at
>> the SP. So if anything good happens in the IdP-initiated case it is by
>> prior agreement only. If the IdP passes a RelayState parameter that
>> the SP understands, then that means they colluded on its semantics.
>> That's great.
>>
>> HTH,
>>
>> Tom
>> --
>> For Consortium Member technical support, see
>> https://wiki.shibboleth.net/confluence/x/coFAAg
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>>
>
>
>
> --
> Snahasish
>
>


-- 
Snahasish
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180208/8f9cd440/attachment.html>

More information about the users mailing list