RelyParty redirect URL

Joseph Fischetti Joseph.Fischetti at
Thu Jul 2 15:20:08 UTC 2020

Is there any way to force the JSESSIONID to exist in the flowExecutionUrl (i.e. it doesn't always), or is it available as a variable I can access in a velocity template?

Details below:

I have it implemented the way it was discussed (with a flow intercept that isn't an end state, leveraging the flowExecutionUrl with proceed.).
SP-A is where the user wanted to go
SP-B is where the user needs to go first

User attempts to get to SP-A
Redirect to shibboleth
Enter credentials
DataConnector lookup (attribute = 0)
 - Send to SP-B with flowExecutionUrl
 - User takes desired action
 - SP-B writes to database (attribute = 1)
 - SP-B sends user to flowExecutionUrl
DataConnector lookup (attribute = 1)
User continues to SP-A

In order to function properly, the flowExecutionUrl needs to include the JSESSIONID in it... which it usually does.
However, if a user has a valid JSESSIONID cookie already, it doesn't appear in the flowExecutionUrl.  After the user takes action at SP-B and they're redirected to the flowExecutionUrl, they're getting the back button error.

The only way I can force the error to happen is to:
Attempt to get to any SP
Redirect to shibboleth
	The flowExecutionUrl contains the JSESSIONID
Don't log in
New tab/same tab - attempt to get to any SP
	The flowExecutionURL no longer includes a JSESSIONID.

A few people in the test group have had it happen 'accidentally'.  

More information about the users mailing list