That is correct - the state ID is just a pointer to a data object
stored in the user's SSP session.
(Also, generally pushing data through GET parameters isn't recommended,
even if you encrypt it - you end up needing to add a lot of extra code
to prevent replay attacks and that sort of things.)
> Would I need to basically find some other back-channel to pass the
> details from the authentication page to the Auth/Source class to
> complete the authentication process? Perhaps just write it to a
> database, with the state as a key, or some part of the state as the
> key?
That is probably the easiest way to do this. Just remember to erase it
from the database afterwards to prevent it from being reused. (Using
the state ID should also prevent this, but it doesn't hurt to be safe.)
A different alternative that may work, depending on what exactly
you are doing: Display the authentication page from the CRM, but make
it POST the username and password to an URL in your SSP module. It can
then verify the user and, if everything is OK, continue the
authentication process. If the username or password is incorrect, it
can redirect the user back to the authentication page with an error
message. (Of course, this only works if the only thing you need from
the CRM is the infrastructure for page layout and such things.)
Best regards,
Olav Morken
UNINETT / Feide
Actually, you are seeing the "restart URL". This is something we use to
provide a fallback when people bookmark the login page. In your case it
may not be very useful, so dropping it is safe. Of course, if the user
somehow manages to return to the authentication handler with an invalid
or expired state ID, they will get the "State information lost" error.
With recent versions you can get only the state ID by passing TRUE as
the third parameter to saveState().