You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In Rails 7, a setting was changed/introduced for by default disallowing redirects to external locations, unless if allow_other_host: true is passed to the redirect_to call.
When the name identifier format is set to transient, devise_saml_authenticatable will redirect a user to do a SLO request at the IDP, which is an external host (in most cases). This is set as the after_sign_out_path_for for the user. However, the method that does the redirect (I believe Devise::SessionsController#respond_to_on_destroy) does not pass allow_other_host, so Rails 7 and up will raise an UnsafeRedirectError in this case.
The text was updated successfully, but these errors were encountered:
In Rails 7, a setting was changed/introduced for by default disallowing redirects to external locations, unless if
allow_other_host: trueis passed to theredirect_tocall.When the name identifier format is set to transient, devise_saml_authenticatable will redirect a user to do a SLO request at the IDP, which is an external host (in most cases). This is set as the
after_sign_out_path_forfor the user. However, the method that does the redirect (I believeDevise::SessionsController#respond_to_on_destroy) does not passallow_other_host, so Rails 7 and up will raise an UnsafeRedirectError in this case.The text was updated successfully, but these errors were encountered: