Shibboleth SSO server adds "=" after query string

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Shibboleth SSO server adds "=" after query string

virajitha
Hi All,

One of our customer has configured our application with Shibboleth SSO to achieve single sign on application. He has raised an issue that login is not successful when the user needs to be redirected to the uri mentioned in the "redirect" query string after successful login. The redirection is made to a apache-CAS server http://cas.example.com (configured with mod_auth_cas).

This is the url that shibboleth server gets at login page:

In our analysis we found that the reason was that: the redirect url has a query string without values something like: http://cas.example.com/library?field1=value1&1,,2,2,0 and when login was done, shibboleth server added "=" like http://cas.example.com/library?field1=value1&1,,2,2,0= by assuming that "1,,2,2,0" to be an empty key.  Apache-CAS server throws error when it finds a change in the url that is returned by the shibboleth.

Error thrown by CAS server : 
response = <?xml version="1.0"?>\n<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">\n<cas:authenticationFailure code="INVALID_SERVICE">Mismatching service parameters: expected 'https://cas.example.com/library?redirect=https://cas.example.com:443/library?/pblackwell/pblackwell/1,1,2,B/l962~1070705&amp;FF=pblackwell+pamela&amp;1,,2,0,0' but was: 'https://cas.example.com:443/library?%2F0%2Fredirect=https%3A%2F%2Fcas.example.com:443/library%3F%2Fpblackwell%2Fpblackwell%2F1%2C1%2C2%2CB%2Fl962%7E1070705&amp;FF=pblackwell+pamela&amp;1%2C%2C2%2C0%2C0='</cas:authenticationFailure>\n</cas:serviceResponse>,

​If we change the redirect url to ​"http://cas.example.com/library?field1=value1&1,,2,2,0=" (with an equal to at the end). so that the shibboleth server gets redirect query param with "=", then login happens successfully. Something like


​According to the URI spec RFC 3986 here​, there is no rule that an uri should always contain key=value pairs. We can mention just key to know the presence of some parameter. Since our application can be configured with other SSO servers also and also it is not industry standard to always have key=value pairs, we donot think it will be a good idea to change our application to include "=" after param "1,,2,2,0".  Could you please let us know what configuration changes should be done at Shibboleth server that we can convey to our customers to solve this issue.


Thanks and Regards,
Virajitha


--

Regards,
Virajitha

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Shibboleth SSO server adds "=" after query string

Rod Widdowson
I may be wrong, but this feels more like something appropriate for the users list.

R

--
To unsubscribe from this list send an email to [hidden email]