Closed adamretter closed 1 year ago
@adamretter You are completely right about this:
The example controller.xql in the README.md file is incorrect and needs to be refactored so that checks (1) and (3) of the controller.xq ... are swapped.
I checked some working installations, and of course they have step 3 first. Clearly a documentation bug, thanks for reporting. Noted for upcoming overhaul.
In the
README.md
an examplecontroller.xq
file is given here, that follows the basic ordering of checks:if no valid token, redirect to SAML auth
if logout, invalidate SAML token
handle SP endpoint to process SAML response in HTTP POST
else, your controller code...
Unfortunately, this is the wrong ordering of checks. If the above is followed, a never-ending loop occurs between the SP and IdP (via the User Agent).
To explain the never ending loop:
controller.xql
.controller.xql
(above) causes the initial redirect of the User Agent from the SP to the IdP (e.g. Microsoft Azure).controller.xql
controller.xql
(above) AGAIN causes a redirect of the User Agent from the SP to the IdP (e.g. Microsoft Azure)... And so we go back to Step 1...The example
controller.xql
in theREADME.md
file is incorrect and needs to be refactored so that checks (1) and (3) of the controller.xq (at the top of this issue) are swapped. Ideally further checks should also be added to differentiate between HTTP GET and POST requests and the action that should be taken.