How to access the AssertionConsumerServiceURL from the AuthnRequest in a custom MFA flow
marc.jay at taskize.com
Thu Apr 16 15:30:49 EDT 2020
Thank you very much for that info - I appreciate what you mean about them being implementation details. It was the only way I could see in our current implementation of knowing, within our MFA flow, which of our two protected subdomains the user had attempted to access, before getting redirected to the IdP to authenticate - at least without setting up some backchannel to query the in-memory RelayState - which also felt like a bad idea.
We've built our own flows and views to handle this - the challenge we found was how to send users who use an external IdP to their IdP without losing the RelayState, which we have yet to overcome, but once this quick-turnaround feature is delivered, we will upgrade to V4 and experiment with the discovery/IdP proxy capability, as I suspect that is the way to go.
Thank you - that worked perfectly - the ACS, at least for now, is always either https://subdomain-a.foo.com/Shibboleth.sso/SAML2/POST or https://subdomain-b.foo.com/Shibboleth.sso/SAML2/POST and so when we redirect to the session initiator URL, in the flow we can set the target param to be subdomain-a.foo.com or subdomain-b.foo.com to match - I appreciate we will lose deep-linking in this situation, but that is acceptable until we build the better solution.
Many thanks for your help.
Taskize Limited registered address 33 Cannon Street, London, EC4M 5SB. Registered in England No. 7921239. This message may contain information that is privileged or confidential. If you are not the intended recipient please delete it and inform the sender immediately.
More information about the users