Where does Shibboleth SP cache target URLs?

Peter Schober peter.schober at univie.ac.at
Fri Sep 16 15:30:13 UTC 2022

* Jose Hales-Garcia via users <users at shibboleth.net> [2022-09-16 17:21]:
> Many of our target URLs contain long query strings exceeding 80
> bytes (the limit of RelayState).  Yet Apache/Shibboleth passes these
> long target URLs in tact on successful authentication.

FWIW, the software does support overly long (as per the spec) target
URLs, despite possibly logging a warning about their length (which I
think the Shibboleth IDP does when recieving such values).

> Is caching a target URL something Apache does, or Shibboleth SP?

The Shibboleth SP has several options for handling RelayState, from
passing it to the IDP verbatim to storing it internally and only
passing an opaque reference to the IDP (and then mapping it back from
that opaque reference to the actual value after recieving the SAML
Reponse from the IDP).

The latter (opaque reference) not only avoids any problems wrt
RelayState length, it also prevents the requested resource from being
leaked the IDP. So it's superior in every aspect, I think.  It should
also be the default behaviour, AFAIR.

The Fine Documentation should cover all the options here.


More information about the users mailing list