[Shib-Users] SP don't redirect to requested URL after SSO

[Petra Berg]

Hi,

I established a small  test environment  with  one IdP and one SP.  On the SP I have an application with two (or more) entry points:
1. /shib-protected
2. /shib-protected/printenv

First I shibbolized the location 'sp.hu-berlin.de/shib-protected'. The request of 'sp.hu-berlin.de/shib-protected' works fine. That means redirecting to login page at IdP, authorization and redirecting back to the source location at SP.
But I the second URL: 'sp.hu-berlin.de/shib-protected/printenv' only works, if I was authenticated before. In case of SSO redirect to the IdP, the ACS will redirect me to 'sp.hu-berlin.de/shib-proteced'.

I tried various configuration settings of SP:
1.
One RequestMapper  with defined host and Path="shib-protected", One DefaultApplication with homeURL="https://sp.hu-berlin.de/shib-protected", with one SessionInitiator.

2.
One RequestMapper  with defined host and Path="shib-protected", One DefaultApplication with homeURL="https://sp.hu-berlin.de/shib-protected", with two SessionInitiators, default one and a second with target="https://sp.hu-berlin.de/shib-protected/printenv". In the ReqestMapper I added a nested Path "printenv" under "shib-protected" and set the attribute requireSessionWith to the second SessionInitiator.

3.
In ApplicationDefaults I added a ApplicationOverride with homeURL="https://sp.hu-berlin.de/shib-protected/printenv" and changed the applicationId attribute in RequestMapper for the nested Path to the OverrideApplication.

In all cases the SP redirect after SSO to https://sp.hu-berlin.de/shib-protected. How can I configure the SP to redirect to the requested URL after SSO?

Thanks,
Petra

___________________________________________________________________

Petra Berg                          Humboldt-Universitaet zu Berlin
			            Unter den Linden 6
petra...@cms.hu-berlin.de         D-10099 Berlin
___________________________________________________________________

[Peter Schober]

* Petra Berg <petra...@cms.hu-berlin.de> [2010-02-09 07:41]:

> I tried various configuration settings of SP:

[...]

> How can I configure the SP to redirect to the requested URL after SSO?

First off you don't need to mess with Application and
ApplicationOverrides just to protect a few URLs and return to the
requested resource.
Also if you're on Apache httpd (as compared to MS-IIS) you don't
need any of the RequestMap entries: using httpd's native directives
works just fine (e.g. protecting <Files> or <Location> or <Directory>
or putting it all in .htaccess files, etc.).
-peter

[Petra Berg]

Hi Peter,

First off you don't need to mess with Application and
ApplicationOverrides just to protect a few URLs and return to the
requested resource.
  

But in the SP configuration file shibboleth2.xml you need to define a default application and a request mapper which refers to. I guess, that the SP always redirect to the homeURL of application in case of SSO, isn't ? If I remove this attribute in default application definition, I will be redirected to 'https://sp.hu-berlin.de' after SSO.
If there is no application defined, how the SSO with IdP works?

 Also if you're on Apache httpd (as compared to MS-IIS) you don't
need any of the RequestMap entries: using httpd's native directives
works just fine (e.g. protecting <Files> or <Location> or <Directory>
or putting it all in .htaccess files, etc.).
  

I configured apache only with following httpd.conf:
<Location /shib-protected>
  AuthType shibboleth
  ShibRequireSession On
  ShibRequireAll On
  require valid-user
</Location>

How does the minimal configuration in shibboleth2.xml looks like?

Thanks,
Petra

[Hausherr Michael]

Hi Petra

 

The first configuration you described in your original post should work

> One RequestMapper  with defined host and Path="shib-protected", One DefaultApplication with homeURL="https://sp.hu-berlin.de/shib-protected", with one SessionInitiator.

As we have just dealt with a specific case of the same behaviour (SP looses the url to the requested resource when a shibboleth-protected link is clicked within an MS Office document), our federation's staff has pointed us to the various "relayState" attribute options within the SessionInitiator elemant:

 

relayState (string)

Controls how information associated with the session request, primarily the original resource accessed, is preserved for the completion of the authentication process. If not specified, the resource URL is passed by value to the IdP, when possible. A value of "cookie" causes the URL to be saved in a cookie, to protect the user's privacy. A third option is to use the SP's persistent storage by specifying a value of the form "SS:id", where id references a <StorageService> element.

 

In our case, the problem was caused by the fact that the cookie "gets lost" between the click in the office document and the redirect back to the SP. Maybe you are encountering a similar problem with the "cookie mechanism" involved?

Leaving out the "relaystate" attribute (and therefore passing the ressource URL to the IdP) fixed the problem for the moment.

Greetings,
Michael

------------------------------------------------------------
Fachhochschule Nordwestschweiz
Services
Abteilung Business Applications

Michael Hausherr
Teamleiter Entwicklung Applikationen
Schulthess-Allee 1
5200 Brugg AG
------------------------------------------------------------
T +41 56 462 43 95
F +41 56 462 40 44
M +41 76 373 16 50
michael....@fhnw.ch
www.fhnw.ch
------------------------------------------------------------  

---

Von: Petra Berg [mailto:petra...@cms.hu-berlin.de]
Gesendet: Dienstag, 9. Februar 2010 13:06
An: shibbole...@internet2.edu
Betreff: Re: [Shib-Users] SP don't redirect to requested URL after SSO

[Scott Cantor]

Petra Berg wrote on 2010-02-09:
> But in the SP configuration file shibboleth2.xml you need to define a
> default application and a request mapper which refers to. I guess, that
the
> SP always redirect to the homeURL of application in case of SSO, isn't ?

No. homeURL is only used when errors occur that prevent relay state from
identifying the correct resource, or during SSO without any relay state.
That isn't a typical situation and doesn't apply to your case.

> I configured apache only with following httpd.conf:
> <Location /shib-protected>
> AuthType shibboleth
> ShibRequireSession On
> ShibRequireAll On
> require valid-user
> </Location>
>
> How does the minimal configuration in shibboleth2.xml looks like?

You need nothing relevant to the content in shibboleth2.xml.

-- Scott

[Petra Berg]

Hi,

Scott Cantor schrieb:

Petra Berg wrote on 2010-02-09:
  

But in the SP configuration file shibboleth2.xml you need to define a
default application and a request mapper which refers to. I guess, that the SP always redirect to the homeURL of application in case of SSO, isn't ?
    

No. homeURL is only used when errors occur that prevent relay state from
identifying the correct resource, or during SSO without any relay state.
That isn't a typical situation and doesn't apply to your case.
  

Ok, I tried without attribute RelayState in SessionInitiator. Than I got the right redirect URL. But with cookie in the RelayState the ACS redirect to the wrong URL, even though the cookie value is correct.

Thanks,
Petra

[Scott Cantor]

Petra Berg wrote on 2010-02-10:
> Ok, I tried without attribute RelayState in SessionInitiator. Than I got
the
> right redirect URL. But with cookie in the RelayState the ACS redirect to
> the wrong URL, even though the cookie value is correct.

That means you have a web server or metadata configuration issue that's
preventing proper cookie use.

https://spaces.internet2.edu/display/SHIB2/FlowsAndConfig

-- Scott