URL Hash Fragment lost in SP Initiated SSO over REDIRECT Binding
Pascal Rigaux
pascal.rigaux at univ-paris1.fr
Tue Oct 4 22:17:15 UTC 2022
Hi,
A browser following a Redirect (HTTP 302) will keep the current hash fragment. So no need to embed it in HTTP "location" header.
What breaks the hash fragment is HTTP POST binding. Here is a solution we use in apache2 frontal to keep the fragment in IDP->SP HTTP POST response:
<LocationMatch "/idp/(profile/Shibboleth/SSO|profile/SAML2/Redirect/SSO|Authn/RemoteUser)" >
RequestHeader unset Accept-Encoding
AddOutputFilterByType SUBSTITUTE text/html
Substitute "s!(<body onload=\")!$1 try { document.forms[0].action += document.location.hash } catch (e) {}; "
</LocationMatch>
NB: the shibboleth login form may also break the hash fragment. Here we delegate auth to Apereo CAS which has a similar js code on its login page.
On 04/10/2022 22:55, prasanna cg via users wrote:
> Hello Experts,
>
> I am using Shibboleth SP and noticed that the URL fragment is not getting preserved in a SP Initiated SAML SSO with Shibboleth IDP. The Binding used is REDIRECT.
>
> The SAML Auth Request from the SP contains the relay state param as query string (but I also noticed its not url encoded) as below
>
> ss:mem:fbe378f7b0dd8b9b629a2d0942b0d84ea987cdc72d802671ea16056181ec7b36#r10
>
> IDP then issues a 302 redirect to “https://idp.example.com/idp/profile/SAML2/Redirect/SSO?execution=e2s1#r10”
>
> From there the Hash Fragment in the relay state is not preserved and lost which causes a lot of user inconvenience.
>
>
> What is the solution for this ? Will HTTP POST binding work ?
>
> We have a lot of applications integrated with our IDP this way for which we share the URL with Hash Fragment to end users to read/review a specific content and take action.
>
>
> Looking forward for your response
>
>
> Thanks,
> Prasanna
>
--
Pascal Rigaux
Expert en développement et déploiement d'applications
DSIUN-PAS (Pôle Applications et Services numériques)
Université Paris 1 Panthéon-Sorbonne - Centre Pierre Mendès France (PMF)
B 04 08 - 90, rue de Tolbiac - 75634 PARIS CEDEX 13 - FRANCE
Tél : 01 44 07 86 59 - 06 74 55 57 67
More information about the users
mailing list