Redirecting to Particular page(using target parameter) of SP using IDP initiated SSO

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

On 12/22/2020 4:18 AM, Abhishek Chouksey wrote:
> I have implemented IDP initiated SSO for SP and I want to redirect
> user to one particular page of sp after SSO so I came across "target"
> parameter and I am passing target url from my client but still not
> able to redirect to that particular page. Can anyone please tell me
> what else other config required at shibboleth side so that I can land
> to any particular page after SSO by providing that page URL in target
> attribute.
>
In general this is not possible; when your IdP sends the SAML response
to the SP's Assertion Consumer Service endpoint, at that point the SP is
in control of where to send the browser next, and there is nothing in
the SAML protocol that specifies a function like that.

Some SAML SP implementations may choose to treat the RelayState
parameter (which for the Shib IdP is set using the "target" parameter on
the Unsolicited endpoint) as an indication of where to send the user
next, but that cannot be relied upon in general.

--
%%  Christopher A. Bongaarts   %%  [hidden email]          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

On 12/22/20, 11:12 AM, "users on behalf of Christopher Bongaarts via users" <[hidden email] on behalf of [hidden email]> wrote:

>    Some SAML SP implementations may choose to treat the RelayState
>    parameter (which for the Shib IdP is set using the "target" parameter on
>    the Unsolicited endpoint) as an indication of where to send the user
>    next, but that cannot be relied upon in general.

That's correct. It's also the case that the Shiibboleth SP will do it automatically, so there is absolute no way that the OP is doing what they claim to be or it's not a Shibboleth SP.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

On 12/23/20, 9:37 AM, "Abhishek Chouksey" <[hidden email]> wrote:

>    Thanks for the response. What I understand by this is that by using target(RelayState) parameter we are passing the
> landing page url at SP but it depends on SP side whether they choose RelayState parameter as indication of where to land
> user or not. Some SP can use it and some may not  depends on SP. Please let me know If I am wrong

That's accurate. Shibboleth does, probably a decent number of others will, many won't.

IdP-initiated SSO was and is a dumb idea. It should never be used and when it's required you know immediately the SP has no idea what they're doing.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]