Handling of `came_from` with multiple PAS plugins and wcs.samlauth

Plone Support
1

We run a Plone site configured with wcs.samlauth against Azure AD, alongside some local Plone users. At times we email deep links to content that belongs to a specific user.

We’re seeing two issues:

  1. Unauthenticated requests are sent to Plone’s default login form instead of being redirected to Azure AD (which would be correct for ~99% of users).

  2. The came_from parameter doesn’t seem to survive the SAML/OIDC redirect flow.

Ideal behavior: Plone should redirect to the Azure AD login, carrying the original URL in came_from; after a successful login, Plone should honor came_from and take the user back to that original URL.

Is this achievable, and if so, what’s the recommended approach?

2

I’m happy to have a look!

Number 1:
The SAML auth plugin comes with a challenge option

Screenshot 2025-11-06 at 12.01.38 PM
Screenshot 2025-11-06 at 12.01.38 PM338×222 11.4 KB

But since you have multiple plugins enabled. It’s probably not clear which one to use there, resp. it might depend on the user.

To address Number 2:

There are basically two options:

  1. Store the came_from in a cookie/session (like pas.plugins.oidc does)
  2. Use SAML RelayState

In this case, I probably would prefer to use the SAML RelayState.
If that makes sense, I should be able to implement that soon.

1 Like
3

@zopyx Sorry, it took a minute to look into it.

If you have the challenge plugin activated, it should work just fine.

The plugin has a “require_login” view implemented, which should handle proper redirection.

This means you first end up on…
/acl_users/saml/require_login?came_from=…

This does a redirect to
/acl_users/saml/sls?came_from=...

And after a successful login via IDP the user ends up on the correct page.

I assume if you have multiple plugins you have to construct your own challenge plugin, or construct your own /acl_users/saml/sls?came_from... somehow?

Do you have some more infos about your setup/config?

4

Thanks for your work…right now, we flagged the related issue in our tracker as WONT FIX :clown_face:

5

Haha always a “solution“.

Reach out if I can improve the plugin! I’m happy to do so.