RelyParty redirect URL

Joseph Fischetti Joseph.Fischetti at
Thu Jul 2 16:41:28 UTC 2020

> That's terrible security practice, but it won't matter anyway.

Is it terrible security practice to use it in a url parameter, or pass it to an SP?  (I just want to understand the statement)

I'm following the same model that Christopher Bongaarts proposed (which is how they've implemented their password reset mechanism).  In their case, the "attribute = 0 | 1" is their "password = valid | invalid", and once they send the user to the password update mechanism, they're passed back to the IdP to continue on to their original target SP.

If this isn't the right way to accomplish what we're trying to accomplish, I'm fine communicating that out.  

I thought about simply sending "SP-B" the entityID of the SP-A so that the user can be redirected to an IdP initiated url for SP-A... but that wont work for CAS based service providers.

More information about the users mailing list