Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SAML login is setting 2 saml_request_path cookie


Level 1

I have created a custom AuthenticationInfoPostProcessor service so that I could sent saml_request_path  and redirect the authenticated user to the appropriate page.   However, after authentication (i.e.after /saml_login request), there are 2 saml_request_path  set in the response - one set to the value I'm setting in the custom AuthenticationInfoPostProcessor service and one with a value of null.  The saml_request_path  with null value redirects to my homepage.


How do I set saml_request_path so that the user is redirected to the appropriate page?  How do I prevent the second saml_request_path  cookie from being added?

2 Replies


Community Advisor

Hi @ahnc 


I had previously worked on a similar requirement. The saml_request_path cookie is originally set in So avoid setting it in AuthenticationInfoPostProcessor.


What you can do is create a loginHook which implements AuthenticationHandler and override requestCredentials method. Set your saml_request_path inside this method.


public boolean requestCredentials(final HttpServletRequest httpServletRequest,
final HttpServletResponse httpServletResponse) throws IOException {
final int expiryTime = 60 * 60 * 60 * 24;
LOGGER.debug("Login hook initialized");
String pagePath = httpServletRequest.getRequestURI();

String queryString = httpServletRequest.getQueryString();
ServletUtil.createCookie("saml_request_path", pagePath, true, expiryTime, null, "/", false),

return wrappedAuthHandler.requestCredentials(httpServletRequest, httpServletResponse);

The above solution worked for me for this exact requirement. Hope it helps you too.





Level 1

Hi @JeevanRaj.  Thanks for the suggestion.  I implemented the login hook and some logging.  I don't see requestCredentials during login.  Most of our site does not require login.  I assume requestCredentials method is only called when a page requires authentication, correct?


Is there a way to prevent AuthenticationHandler from setting saml_request_path cookie so that I can set it using a different method (e.g. sling request filter)?