How to set-up IdP Initiated SSO using Shibboleth as Service Provider

Nate Klingenstein ndk at
Fri May 31 13:37:13 EDT 2019


One of the fields used in SAML is called RelayState, which specifies your
destination URL after the assertion has been processed.  If there is none,
then the SP will redirect the user to a default URL, which defaults to /.
Try adding &target=<desired url> to your query string.  You can also add
homeURL="<url>" to your ApplicationDefaults element, but that will affect
every assertion that shows up without a RelayState.

As an aside, Scott's rewrite suggestion would be a more elegant solution as
it allows the SP to retain more control over session creation -- if that's
a good thing in this case -- but does involve touching the Apache side, and
it would be a good idea to set your ServerName and UseCanonicalName On if
you can.

Take care,

On Fri, May 31, 2019 at 11:23 AM christinepuedan <christinepuedan at>

> Thank you. That's what my initial thought as well. Aside from
> shibboleth.xml
> and attribute-map.xml we shouldn't be updating anything from the apache
> side. What happens now, after we logged in to our IdP, it just routes us to
> the apache blank index page, not on our desired application. So I'm
> thinking
> there must be a disconnect between apache and shibboleth that we should
> consider. Thoughts?
> --
> Sent from:
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list