From 1c750a1603ffcf6179bdc40ccfdce76ee799c117 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20=C3=85kre=20Solberg?= <andreas.solberg@uninett.no> Date: Thu, 2 Jul 2009 05:47:04 +0000 Subject: [PATCH] added section about bookmarking login page git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@1544 44740490-163a-0410-bde0-09ae8108e29a --- docs/simplesamlphp-idp-more.txt | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/docs/simplesamlphp-idp-more.txt b/docs/simplesamlphp-idp-more.txt index 708265d78..d77978c11 100644 --- a/docs/simplesamlphp-idp-more.txt +++ b/docs/simplesamlphp-idp-more.txt @@ -27,6 +27,18 @@ The attribute release consent is documented in a separate document. * [Documentation on the consent module](https://rnd.feide.no/content/consent-module) +Support for bookmarking the login page +-------------------------------------- + +Most SAML software crash fatally when users bookmarks the login page and returns later when the cached session information is lost. This is natural as the login page happens in the middle of a SAML transaction, and the SAML software needs some references to the request in order to be able to produce the SAML Response. + +SimpleSAMLphp has implemented a graceful fallback to tackle this situation. When simpleSAMLphp is not able to lookup a session in the login process, it fall-backs to the *IdP-first flow*, described in next section, where the reference to the request is not needed. + +What happens in the IdP-first flow is that an *SAML unsolicited response* is sent back to the SP. An *unsolicited response* is a SAML Response with no reference to a SAML Request (no `InReplyTo` field). + +When an SimpleSAMLphp IdP fall-back to IdP-first flow, the `RelayState` parameter sent from the SP in the SAML request is also lost. The RelayState information contain a reference key for the SP to lookup where to send the user after successfull authentication. The SimpleSAMLphp Service Provider supports configuring a static URL to redirect the user after a unsolicited response is received. See more information about the `RelayState` parameter in the next section: *IdP-first flow*. + + IdP-first flow -------------- -- GitLab