Azure ACS - Relaying Party Application - ReturnURL with parameters?

StackOverflow https://stackoverflow.com/questions/11779674

  •  24-06-2021
  •  | 
  •  

Question

We're building an application which uses ACS. Our usage scenario looks like this:

  1. The user gets a URL like this one https://our.application.com/?requestId=123456 via email and clicks on it
  2. The user gets redirected to the LiveID login screen
  3. After logging in, ACS forwards the user to us, but to https://our.application.com/

Unfortunately, it seems that the "Return URL" setting in the "Relaying Party" on the "Access Control Service Portal" is just a fixed string. Is there a way to propagate the original request to it? If not, what would you suggest as a workaround?

Était-ce utile?

La solution

I believe the answer's no, and I would suggest using a cookie to store the parameter.

Autres conseils

The answer is actually yes, but not without a little work. In step 3, your return URL is being overridden by the one you have configured in your ACS RP by the default ACS login page. This is the page, which ACS hosts for you by default, where you choose your identity provider. (You may not always see it in the browser; it will redirect automatically if you only have one IDP configured.)

You can tell ACS to use a custom login page that you host yourself so that this original URL gets saved. You can download the default ACS login page from ACS portal as something to work off of.

The tricky part comes from the fact that different identity providers using different protocols use different mechanisms to save this original URL.

Some further discussion and code samples about this can be found here, and you might find further solutions to this problem elsewhere on the web:

How do I get the return URL working properly again after downloading a login page from Azure ACS?

If you want to provide a "returnUrl" via ACS + Microsoft Account you can query the ACS login pages via the IdentitiyProviders.js and pass a "context", e.g.: https://MyACS.accesscontrol.windows.net/v2/metadata/IdentityProviders.js?protocol=wsfederation&realm=MyRealm&reply_to=&context=foooobar&request_id=&version=1.0&callback=&wfresh=0

As a result you will get the Login-URL for Microsoft Account with the wctx parameter: https://login.live.com/login.srf?wa=wsignin1.0&wtrealm=...&wp=MBI_FED_SSL&wctx=cHI9d3NmZWRlcmF0aW9uJnJtPXVybiUzYW9uZW9mZml4eCUzYWRldiUzYWRlZmF1bHQmY3g9Zm9vb29iYXI1 <-- foobar.

After the login process your configured returnUrl is invoked with the wctx parameter (in my example you will get "foobar").

Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
scroll top