[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DEFAULTQS configuration help



Karthik Sudarshan <ksudarshan@xxxxxxxxxx> said:
>     Thanks for the reply. I got it to work with the change that you
> suggested.
> 
> My mistake was a silly one, but will mention it here so that if others make
> a similar one, they can correct it as well : I was inadvertently writing
> the code as 10 (numeric one) instead of l0 (lowercase L) !!

:-)

> I have a follow-up question w.r.t the RelayState.
> 
> If I have a html page then the value of the relay state will be available
> as a query parameter (as mentioned in the documentation). However, if I set
> the DEFAULTQS, then I would have to hard code the value of "fr". Is my
> understanding correct?

Right.

> If this is the correct assumption, then is that the suggested way - to
> direct the user always to the same landing page after SSO, or is the
> expectation that there will be a custom idpsel page, which will do an
> automatic submit of the form so that the user does not need to do anything?

Both are possible. Basically DEFAULTQS is config time option and
not very dynamic so you would be constrained to always same landing
page.

If you need something fancier, you would need the "magic" idpsel page
or some other webserver level (rewrite rule?) or php level
magic that manipulates the query string correctly.

For example, if you show a web page to unauthenticated users, with
several links to follow, you could generate each link with a query
string that preselects the IdP and supplies fr that points to the
final destination. Generating such page with php would not be
difficult (see how the magic aura is starting to wear off).

In fact the link page could even be entirely static as long as
you manually supply the magically correct URLs.

Cheers,
--Sampo

> Regards,
> Karthik
> 
> 
> On Thu, Nov 21, 2013 at 5:29 PM, <sampo@xxxxxxxxx> wrote:
> 
> > Karthik Sudarshan <ksudarshan@xxxxxxxxxx> said:
> > > Hi all,
> > >     I have downloaded the latest version of zxid (1.16) and compiled
> >
> > Rest of the list: sorry folks, I did not announce it, but there is a
> > new release available :-)
> >
> > There will be another before christmas.
> >
> > > against Apache 2.2  on Ubuntu to get the mod_auth_saml.so. I have
> > > registered an IDP in my COT using the zxcot utility. I can see that in my
> > > dropdown list on the IDP selection page as well.
> > >
> > > I want to be able to bypass the IDP selection page and directly go to the
> > > IDP login page. For that I used the DEFAULTQS configuration option and it
> > > does not seem to work.
> > >
> > > My option in the apache conf file for the <Location> is  as below:
> > >
> > > DEFAULTQS=10https://<hostname>/<path>/metadata.xml
> >
> > The correct syntax is the query string syntax as if a form
> > had been submitted. Try the following
> >
> > DEFAULTQS=l0https://<host>/<path>/idp.xml=1%26fp=1
> >
> > Please note
> >
> > 1. The l0... stuff must end with "=1"
> >
> > 2. If there are any other fields you would like to pass, you need
> >    to include them in the query string, but you need to URI escape
> >    characters, such as ampersand ("&") with %26 (percent 26).
> >
> > 3. One other field in particular that you may want to pass is
> >    fr (aka RelayState) which will control the redirection
> >    after SSO if you have configured REDIR_TO_CONTENT=1
> >
> > Cheers,
> > --Sampo
> >
> > > I tried to give this in the zxid.conf file as well, and that didn't work
> > > either.
> > >
> > > Can someone please suggest how to set this configuration correctly?
> > >
> > > Regards,
> > > Karthik
> > >
> > > --
> > >
> > > ------------------------------
> > > <http://www.xtivia.com>  <http://www.virtual-dba.com/> <
> > http://www.virtual-dba.com/><http://www.virtual-asa.com/>
> > >   <http://www.facebook.com/Xtivia>  <http://twitter.com/#!/xtivia> <
> > http://www.linkedin.com/company/xtivia>
> > >   <http://blogs.xtivia.com>  <http://www.xtivia.com/resources/webinars>
> > > *Xtivia Virtual-Services (DBA/ASA) Customer Support: (800) 205-7537*
> > > ------------------------------
> > > This e-mail may contain confidential or privileged information. If you
> > > believe you have received this e-mail in error, please notify the sender
> > by
> > > reply e-mail and then delete this e-mail immediately.
> > >
> > >
> >
> 
> -- 
> 
> ------------------------------
> <http://www.xtivia.com>  <http://www.virtual-dba.com/> <http://www.virtual-dba.com/><http://www.virtual-asa.com/>
>   <http://www.facebook.com/Xtivia>  <http://twitter.com/#!/xtivia> <http://www.linkedin.com/company/xtivia>
>   <http://blogs.xtivia.com>  <http://www.xtivia.com/resources/webinars>
> *Xtivia Virtual-Services (DBA/ASA) Customer Support: (800) 205-7537*
> ------------------------------
> This e-mail may contain confidential or privileged information. If you 
> believe you have received this e-mail in error, please notify the sender by 
> reply e-mail and then delete this e-mail immediately.