SSO Redirect Handling

From Documentation


SSO Redirect Handling



In this section, we assume you already know the basics of SSO (Single-Sign-On) flow like CAS web flow or Active Directory Federation Services.

AJAX Request Gets 302 Redirect

Redirect including SSO (Single-Sign-On) handling has always been a common challenge in Ajax, and that's no exception when it comes to ZK. You may have run into this error:

The response could not be parsed: Expected JSON format (please check console for details).
Unexpected token '<':

Or in an older ZK version:

The server is temporarily out of service.
Would you like to try again?

(Unexpected token < (SyntaxError))


It usually happens when:

  • session timeout
  • your access token is invalid for some reason

If you check developer tool > Network, you should see a 302 Redirect response on a ZK AU request:

Redirect302.jpg

If this happens, it's most likely you have a service that intercepts HTTP requests (e.g. a security filter) and redirects the AU request to a login page.

According to the HTTP specification, browsers will follow the 302 redirect to visit the target URL transparently. Browsers will receive the HTML content of the login page as the response to the AU request. However, ZK client engine expects a JSON format response for an AU request, not the HTML content, and therefore reporting the error.

Solution: Turn 302 to 403

Because of atomic HTTP redirect handling, browsers handle redirecting transparently, it's not something we can change on the ZK side. What we can do is to turn the 302 into 403 so that we can handle it properly.

First, configure your SSO server or the security filter to return the response code 403 Forbidden instead of 302 for the situation mentioned above (session expired or invalid access token).

Then, configure the error-reload Element, so that ZK can handle 403 by reloading the specified login page.

In some special set up, you might need to override javascript function zAu._fetch(). If you are not sure how to, please contact ZK support.

Library Customization Reference

Most SSO related frameworks/libraries provide customizable filters, here are some examples, please refer to the official and latest documents on their website:

Spring Security

Apache Shiro

CAS

OKTA

Version History

Last Update : 2021/09/08



Copyright © Potix Corporation. This article is licensed under GNU Free Documentation License.