URL Hash Fragment lost in SP Initiated SSO over REDIRECT Binding

Pascal Rigaux pascal.rigaux at univ-paris1.fr
Tue Oct 4 22:17:15 UTC 2022


A browser following a Redirect (HTTP 302) will keep the current hash fragment. So no need to embed it in HTTP "location" header.

What breaks the hash fragment is HTTP POST binding. Here is a solution we use in apache2 frontal to keep the fragment in IDP->SP HTTP POST response:

   <LocationMatch "/idp/(profile/Shibboleth/SSO|profile/SAML2/Redirect/SSO|Authn/RemoteUser)" >
     RequestHeader unset  Accept-Encoding
     AddOutputFilterByType SUBSTITUTE text/html

     Substitute "s!(<body onload=\")!$1 try { document.forms[0].action += document.location.hash } catch (e) {}; "

NB: the shibboleth login form may also break the hash fragment. Here we delegate auth to Apereo CAS which has a similar js code on its login page.

On 04/10/2022 22:55, prasanna cg via users wrote:
> Hello Experts,
> I am using Shibboleth SP and noticed that the URL fragment is not getting preserved in a SP Initiated SAML SSO with Shibboleth IDP. The Binding used is REDIRECT.
> The SAML Auth Request from the SP contains the relay state param as query string (but I also noticed its not url encoded) as below
> ss:mem:fbe378f7b0dd8b9b629a2d0942b0d84ea987cdc72d802671ea16056181ec7b36#r10
> IDP then issues a 302 redirect to “https://idp.example.com/idp/profile/SAML2/Redirect/SSO?execution=e2s1#r10”
>  From there the Hash Fragment in the relay state is not preserved and lost which causes a lot of user inconvenience.
> What is the solution for this ? Will HTTP POST binding work ?
> We have a lot of applications integrated with our IDP this way for which we share the URL with Hash Fragment to end users to read/review a specific content and take action.
> Looking forward for your response
> Thanks,
> Prasanna

Pascal Rigaux

Expert en développement et déploiement d'applications
DSIUN-PAS (Pôle Applications et Services numériques)
Université Paris 1 Panthéon-Sorbonne  -  Centre Pierre Mendès France (PMF)
B 04 08 - 90, rue de Tolbiac -  75634 PARIS CEDEX 13 - FRANCE
Tél : 01 44 07 86 59 - 06 74 55 57 67

More information about the users mailing list