OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] preserving query parameters in AssertionConsumerServiceURL


> However, the decoded SAMLResponse is sent to
> /ufs/user/framedResponse.jsp?app=ABC without the necessary esessionid
> parameter.

The URL you sent had some kind of embedded ampersand URL-encoded into it, it
probably tripped a bug in some fashion.

> I am trying to argue with the Assertion providers that this violates the
> SAML standard, but I have failed to back this up with appropriate
> references.
> 
> Could you help me argue my point that the AssertionConsumerServiceURL
value
> should be used as it by the assertion provider, without modification?

I can't speak for what the standard intended, but I think this is bad
practice and our implementation wouldn't allow it. We do direct comparisons
against the metadata, so using a query string that would vary would break
it.

I think you should be putting that information into RelayState.

-- Scott




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]