Protecting different URL paths
Peter Schober
peter.schober at univie.ac.at
Sat Nov 2 08:59:17 EDT 2019
* Kiem Nguyen <kiemnguyen at gmail.com> [2019-11-01 20:49]:
> 1. Go to https://abc.com/app1
> 2. Login
> 3. It redirects me to https://abc.com
How are you triggering SSO exaclty, using active or passive protection?
https://wiki.shibboleth.net/confluence/display/SP3/ProtectContent
For "passive" you control where the browser ends up after SSO (using
the 'target' parameter to the session initiator, as stated in the
documentation[0]).
> Could you show me how to make Shibboleth redirect to a specific URL
> after the authentication?
For "active" protection that would be the default behaviour, with no
additional configuration necessary. So something must be off in your
deployment. You don't mention how you configured the webserver and/or
SP to protect the resource so there's not much to suggest.
> I tried to put the encoded URL for app1 in the relayState in
> shibboleth2.xml (relayState="https%3A%2F%2Fabc.com%2Fapp1"), but it
> said Shibboleth doesn't understand the relayState merchanirsm.
You should leave Session/@relayState="ss:mem" in your shibboleth2.xml
unless you understand how it works and have a requirement to use a
different mechanism. (I.e., I'd suggest to change it back.)
Also, if you wanted the resource URL to be passed by value you'd
remove that XML attribute from the Session element, as stated in the
documentation[1], not hard-code one such URL.
-peter
[0] https://wiki.shibboleth.net/confluence/display/SP3/SessionInitiator#SessionInitiator-CommonAttributes
[1] https://wiki.shibboleth.net/confluence/display/SP3/Sessions#Sessions-Attributes
More information about the users
mailing list