Protecting different URL paths

Peter Schober peter.schober at
Sat Nov 2 08:59:17 EDT 2019

* Kiem Nguyen <kiemnguyen at> [2019-11-01 20:49]:
> 1. Go to
> 2. Login
> 3. It redirects me to

How are you triggering SSO exaclty, using active or passive protection?

For "passive" you control where the browser ends up after SSO (using
the 'target' parameter to the session initiator, as stated in the

> Could you show me how to make Shibboleth redirect to a specific URL
> after the authentication?

For "active" protection that would be the default behaviour, with no
additional configuration necessary. So something must be off in your
deployment. You don't mention how you configured the webserver and/or
SP to protect the resource so there's not much to suggest.

> I tried to put the encoded URL for app1 in the relayState in
> shibboleth2.xml (relayState=""), but it
> said Shibboleth doesn't understand the relayState merchanirsm.

You should leave Session/@relayState="ss:mem" in your shibboleth2.xml
unless you understand how it works and have a requirement to use a
different mechanism. (I.e., I'd suggest to change it back.)
Also, if you wanted the resource URL to be passed by value you'd
remove that XML attribute from the Session element, as stated in the
documentation[1], not hard-code one such URL.



More information about the users mailing list