/
Unable to verify returning website

Unable to verify returning website

Owned by Zacharias Törnblom
Last updated: Mar 14, 2025
2 min read

Why am I seeing this message?

The message “Unable to verify returning website” means that SeamlesAccess was not able to confirm that the website address the user will return to after logging in is a valid one.

SeamlessAccess checks the validity of the website address by comparing the address against the information the service provider has given the identity federation they are connected to. This information is called “metadata”, and we trust this information because there are checks in place for who can update this information.

Should I not complete my login if I see this message?

SeamlessAccess informs the user that the website address the service provider is sending them to is not confirmed against the information in the metadata. This is done for increased transparency towards the user. SeamlessAccess is however not making any recommendations for what the user should do.

I’m a service provider - what can I do to fix the issue?

As a service provider you can ensure that the address you have set for the user to return to is matching the one provided to your identity federation. Once these two addresses match, and the metadata has been updated, SeamlessAccess will no longer show this message to users accessing the service.

Since 2025-03-12 SeamlessAccess checks that the returnurl is part of one of the DiscoveryResponse in SP metadata.

If you see a box with "Unable to verify returning website" the URL:s ar not matching.

How to fix the problem ?

Shibboleth SP

  1. Download new metadata from https://<sp>/Shibboleth.sso/Metadata

  2. Publish it to your identity federation

Satosa

  1. Fetch backend.xml

    1. Run satosa-saml-metadata proxy_conf.yaml ${DATA_DIR}/metadata.key ${DATA_DIR}/metadata.crt --dir /tmp and then fetch /tmp/backend.xml

  2. Publish it to your identity federation

Find out which URL to add

  1. Run a loginflow via http://SeamlessAccess.org

  2. Check the URL. Should look like "https://service.seamlessaccess.org/ds/?entityID=https%3A%2F%2Frelease-check.swamid.se%2Fshibboleth&return=https%3A%2F%2Frelease-check.swamid.se%2FShibboleth.Sso%2FDS%2Fseamless-access%3FSAMLDS%3D1%26target%3Dss%253Amem%253A4ddbae64f51c70036e5af8c8955a08cb36f6a18620103a2515c7f6878744d863"

  3. Copy the return parameter (https%3A%2F%2Frelease-check.swamid.se%2FShibboleth.Sso%2FDS%2Fseamless-access%3FSAMLDS%3D1%26target%3Dss%253Amem%253A4ddbae64f51c70036e5af8c8955a08cb36f6a18620103a2515c7f6878744d863 in this case)

  4. URLdecode (gets https://release-check.swamid.se/Shibboleth.Sso/DS/seamless-access?SAMLDS=1&target=ss%3Amem%3A4ddbae64f51c70036e5af8c8955a08cb36f6a18620103a2515c7f6878744d863)

  5. Some SP:s like Shibboleth add uniq info at the end after a ?, remove that to get the base of DiscoveryResponse (gets https://release-check.swamid.se/Shibboleth.Sso/DS/seamless-access)

  6. Copy this URL

Standard URL:s

The following URL:s ar the default we have found for different softwares. Use them as suggestions / to verify the URL you got above

  • Shibboleth - https://<sp>/Shibboleth.sso/Login

  • Satosa - https://<sp>/Saml2SP/disco

  • SimpleSAMLphp - https://<sp>/simplesaml/module.php/saml/sp/discoresp.php

    • If your version of SimpleSAML doesn’t have this support, the fallback is to add this information manually

  • Canvas - https://<sp>/login/saml

Related content