[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] preserving query parameters in AssertionConsumerServiceURL
> However, the decoded SAMLResponse is sent to > /ufs/user/framedResponse.jsp?app=ABC without the necessary esessionid > parameter. The URL you sent had some kind of embedded ampersand URL-encoded into it, it probably tripped a bug in some fashion. > I am trying to argue with the Assertion providers that this violates the > SAML standard, but I have failed to back this up with appropriate > references. > > Could you help me argue my point that the AssertionConsumerServiceURL value > should be used as it by the assertion provider, without modification? I can't speak for what the standard intended, but I think this is bad practice and our implementation wouldn't allow it. We do direct comparisons against the metadata, so using a query string that would vary would break it. I think you should be putting that information into RelayState. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]