OpenConext · kayjoosten · Jun 22, 2026 · Jun 22, 2026
diff --git a/config/reference.php b/config/reference.php
diff --git a/config/services/ci/controllers.yml b/config/services/ci/controllers.yml
@@ -50,6 +50,7 @@ services:
             - '@OpenConext\EngineBlock\Validator\UnsolicitedSsoRequestValidator'
             - '@OpenConext\EngineBlock\Service\AuthenticationStateHelper'
             - '@engineblock.functional_testing.fixture.features'
+            - '@router'
 
     engineblock.functional_test.controller.sbs:
         class: OpenConext\EngineBlockFunctionalTestingBundle\Controllers\SbsController

diff --git a/config/services/ci/services.yml b/config/services/ci/services.yml
@@ -149,6 +149,13 @@ services:
             - '@engineblock.functional_testing.fixture.features'
             - '%stepup.sfo.override_engine_entityid%'
 
+    OpenConext\EngineBlockBundle\Twig\Extensions\Extension\Wayf:
+        autoconfigure: true
+        arguments:
+            - '@request_stack'
+            - '@translator'
+            - '@engineblock.functional_testing.fixture.features'
+
     OpenConext\EngineBlockBundle\Twig\Extensions\Extension\FunctionalTestingGlobalSiteNotice:
         autoconfigure: true
         arguments:

diff --git a/config/services/controllers/authentication.yml b/config/services/controllers/authentication.yml
@@ -22,6 +22,7 @@ services:
             - '@OpenConext\EngineBlock\Validator\UnsolicitedSsoRequestValidator'
             - '@OpenConext\EngineBlock\Service\AuthenticationStateHelper'
             - '@OpenConext\EngineBlockBundle\Configuration\FeatureConfiguration'
+            - '@router'
 
     OpenConext\EngineBlockBundle\Controller\IndexController:
         arguments:

diff --git a/languages/messages.en.php b/languages/messages.en.php
@@ -234,6 +234,8 @@
     'error_authentication_limit_exceeded' => 'Error - too many authentications in progress',
     'error_authentication_limit_exceeded_desc' => 'Too many authentications in progress',
     'error_no_authentication_request_received' => 'Error - No authentication request received.',
+    'error_bookmarked_page'      => 'Error - This page no longer exists',
+    'error_bookmarked_page_desc' => 'The page you are trying to visit no longer exists. You probably saved a bookmark, but unfortunately that doesn\'t work. Search for the correct link to the application you want to log in to in order to gain access.',
     'error_authn_context_class_ref_blacklisted'                     => 'Error - AuthnContextClassRef value is not allowed',
     'error_authn_context_class_ref_blacklisted_desc'                => 'You cannot login because %idpName% sent a value for AuthnContextClassRef that is not allowed. Please contact the service desk of %idpName% to solve this.',
     'error_authn_context_class_ref_blacklisted_desc_no_idp_name'                => 'You cannot login because your %organisationNoun% sent a value for AuthnContextClassRef that is not allowed. Please contact the service desk of your %organisationNoun% to solve this.',

diff --git a/languages/messages.nl.php b/languages/messages.nl.php
@@ -231,6 +231,8 @@
     'error_authentication_limit_exceeded' => 'Fout - teveel onafgeronde authenticaties tegelijkertijd.',
     'error_authentication_limit_exceeded_desc' => 'Teveel onafgeronde authenticaties tegelijkertijd.',
     'error_no_authentication_request_received' => 'Fout - Geen authenticatie-aanvraag ontvangen.',
+    'error_bookmarked_page'      => 'Fout - Deze pagina bestaat niet meer',
+    'error_bookmarked_page_desc' => 'De pagina die je probeert te bezoeken bestaat niet meer. Waarschijnlijk heb je de pagina als bladwijzer opgeslagen, maar dat werkt helaas niet. Zoek de juiste link naar de applicatie waarop je wilt inloggen om toegang te krijgen.',
     'error_authn_context_class_ref_blacklisted' => 'Fout - Waarde van AuthnContextClassRef is niet toegestaan',
     'error_authn_context_class_ref_blacklisted_desc' => 'Je kunt niet inloggen omdat %idpName% een waarde stuurde voor AuthnContextClassRef die niet is toegestaan. Neem contact op met de helpdesk van %idpName% om dit op te lossen.',
     'error_authn_context_class_ref_blacklisted_desc_no_idp_name' => 'Je kunt niet inloggen omdat je %organisationNoun% een waarde stuurde voor AuthnContextClassRef die niet is toegestaan. Neem contact op met de helpdesk van je %organisationNoun% om dit op te lossen.',

diff --git a/languages/messages.pt.php b/languages/messages.pt.php
@@ -231,6 +231,8 @@
     'error_invalid_mfa_authn_context_class_ref_desc' => '<p>A %idpName% requer segurança adicional para este serviço, por meio de um segundo fator de autenticação (2FA). No entanto, o seu segundo fator de autenticação não pôde ser verificado. Entre em contato com o suporte da %idpName% para validar esta situação.</p>',
     'error_invalid_mfa_authn_context_class_ref_desc_no_idp_name' => '<p>A sua %organisationNoun% requer segurança adicional para este serviço, por meio de um segundo fator de autenticação (2FA). No entanto, o seu segundo fator de autenticação não pôde ser verificado. Entre em contato com o suporte da sua %organisationNoun% para validar esta situação.</p>',
     'error_no_authentication_request_received' => 'Não foi recebida nenhuma solicitação de autenticação.',
+    'error_bookmarked_page'      => 'Erro - Esta página já não existe',
+    'error_bookmarked_page_desc' => 'A página que está a tentar visitar já não existe. Provavelmente guardou um marcador, mas infelizmente isso não funciona. Procure o link correto para a aplicação em que pretende iniciar sessão para obter acesso.',
     /**
      * %1 AttributeName
      * %2 Options

diff --git a/src/OpenConext/EngineBlockBundle/Configuration/TestFeatureConfiguration.php b/src/OpenConext/EngineBlockBundle/Configuration/TestFeatureConfiguration.php
@@ -48,7 +48,7 @@ public function __construct()
         $this->setFeature(new Feature('eb.feature_enable_idp_initiated_flow', true));
         $this->setFeature(new Feature('eb.stepup.send_user_attributes', true));
         $this->setFeature(new Feature('eb.feature_enable_sram_interrupt', true));
-        $this->setFeature(new Feature('eb.hide_bookmarkable_url', false));
+        $this->setFeature(new Feature('eb.hide_bookmarkable_url', true));
     }
 
     public function setFeature(Feature $feature): void

diff --git a/src/OpenConext/EngineBlockBundle/Controller/FeedbackController.php b/src/OpenConext/EngineBlockBundle/Controller/FeedbackController.php
@@ -153,6 +153,15 @@ public function __construct(
         ],
         methods: ['GET']
     )]
+    #[Route(
+        path: '/authentication/feedback/bookmarked-page',
+        name: 'authentication_feedback_bookmarked_page',
+        defaults: [
+            'pageIdentifier' => 'bookmarked-page',
+            'statusCode' => 400
+        ],
+        methods: ['GET']
+    )]
     public function feedbackAction(string $pageIdentifier, int $statusCode): Response
     {
         return new Response(

diff --git a/src/OpenConext/EngineBlockBundle/Controller/IdentityProviderController.php b/src/OpenConext/EngineBlockBundle/Controller/IdentityProviderController.php
@@ -26,17 +26,22 @@
 use OpenConext\EngineBlockBridge\ResponseFactory;
 use OpenConext\EngineBlockBundle\Configuration\FeatureConfigurationInterface;
 use Psr\Log\LoggerInterface;
+use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
 use Twig\Environment;
 
 /**
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects) Due to the compatibility requirements
+ * @SuppressWarnings(PHPMD.ExcessiveParameterList) Due to the compatibility requirements
  */
 class IdentityProviderController implements AuthenticationLoopThrottlingController
 {
+    private const FEEDBACK_BOOKMARK = 'bookmark';
+
     /**
      * @var EngineBlock_ApplicationSingleton
      */
@@ -82,6 +87,11 @@ class IdentityProviderController implements AuthenticationLoopThrottlingControll
      */
     private $featureConfiguration;
 
+    /**
+     * @var UrlGeneratorInterface
+     */
+    private $urlGenerator;
+
     public function __construct(
         EngineBlock_ApplicationSingleton $engineBlockApplicationSingleton,
         Environment $twig,
@@ -91,7 +101,8 @@ public function __construct(
         RequestValidator $bindingValidator,
         RequestValidator $unsolicitedRequestValidator,
         AuthenticationStateHelperInterface $authenticationStateHelper,
-        FeatureConfigurationInterface $featureConfiguration
+        FeatureConfigurationInterface $featureConfiguration,
+        UrlGeneratorInterface $urlGenerator
     ) {
         $this->engineBlockApplicationSingleton = $engineBlockApplicationSingleton;
         $this->twig = $twig;
@@ -102,6 +113,7 @@ public function __construct(
         $this->unsolicitedRequestValidator = $unsolicitedRequestValidator;
         $this->authenticationStateHelper = $authenticationStateHelper;
         $this->featureConfiguration = $featureConfiguration;
+        $this->urlGenerator = $urlGenerator;
     }
 
     /**
@@ -122,6 +134,12 @@ public function __construct(
     #[Route(path: '/authentication/idp/single-sign-on/{idpHash}', name: 'authentication_idp_sso_idphash', methods: ['GET', 'POST'])]
     public function singleSignOnAction(Request $request, ?string $keyId = null, ?string $idpHash = null)
     {
+        if ($request->query->get('feedback') === self::FEEDBACK_BOOKMARK) {
+            return new RedirectResponse(
+                $this->urlGenerator->generate('authentication_feedback_bookmarked_page', [], UrlGeneratorInterface::ABSOLUTE_PATH)
+            );
+        }
+
         $this->requestValidator->isValid($request);
         $this->bindingValidator->isValid($request);
 

diff --git a/src/OpenConext/EngineBlockBundle/EventListener/RedirectToFeedbackPageExceptionListener.php b/src/OpenConext/EngineBlockBundle/EventListener/RedirectToFeedbackPageExceptionListener.php
@@ -207,7 +207,7 @@ public function onKernelException(ExceptionEvent $event)
             $redirectToRoute = 'authentication_feedback_authentication_limit_exceeded';
         } elseif ($exception instanceof InvalidRequestMethodException ||
             $exception instanceof InvalidBindingException ||
-            $exception instanceof  MissingParameterException
+            $exception instanceof MissingParameterException
         ) {
             $message = $exception->getMessage();
             $event->getRequest()->getSession()->set('feedback_custom', $exception->getMessage());

diff --git a/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/HideBookmarkableUrl.feature b/src/OpenConext/EngineBlockFunctionalTestingBundle/Features/HideBookmarkableUrl.feature
@@ -14,3 +14,20 @@ Feature:
     When I log in at "Dummy SP"
      And I go to Engineblock URL "/authentication/idp/single-sign-on"
     Then I should see "The parameter \"SAMLRequest\" is missing on the SAML SSO request"
+
+  Scenario: Visiting a bookmarked WAYF URL shows the bookmark error page
+    When I log in at "Dummy SP"
+     And I go to Engineblock URL "/authentication/idp/single-sign-on?feedback=bookmark"
+    Then I should see "This page no longer exists"
+
+  Scenario: WAYF page includes hideBookmarkableUrl true in config when feature flag is enabled
+    Given feature "eb.hide_bookmarkable_url" is enabled
+      And an Identity Provider named "Second Idp"
+    When I log in at "Dummy SP"
+    Then the response should contain '"hideBookmarkableUrl": true'
+
+  Scenario: WAYF page includes hideBookmarkableUrl false in config when feature flag is disabled
+    Given feature "eb.hide_bookmarkable_url" is disabled
+      And an Identity Provider named "Second Idp"
+    When I log in at "Dummy SP"
+    Then the response should contain '"hideBookmarkableUrl": false'
diff --git a/tests/unit/OpenConext/EngineBlockBundle/Controller/IdentityProviderControllerTest.php b/tests/unit/OpenConext/EngineBlockBundle/Controller/IdentityProviderControllerTest.php
@@ -33,6 +33,7 @@
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Session\Session;
 use Symfony\Component\HttpFoundation\Session\Storage\MockArraySessionStorage;
+use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
 use Twig\Environment;
 
 class IdentityProviderControllerTest extends TestCase
@@ -50,7 +51,8 @@ private function buildController(?RequestValidator $requestValidator = null): Id
             Mockery::mock(RequestValidator::class),
             Mockery::mock(RequestValidator::class),
             Mockery::mock(AuthenticationStateHelperInterface::class),
-            Mockery::mock(FeatureConfigurationInterface::class)
+            Mockery::mock(FeatureConfigurationInterface::class),
+            Mockery::mock(UrlGeneratorInterface::class)
         );
     }
 

diff --git a/theme/base/javascripts/wayf/hideBookmarkableUrl.js b/theme/base/javascripts/wayf/hideBookmarkableUrl.js
@@ -1,10 +1,18 @@
+import {configurationId} from '../selectors';
+
 export const hideBookmarkableUrl = () => {
-  const configEl = document.getElementById('wayf-configuration');
+  const configEl = document.getElementById(configurationId);
   if (!configEl) {
     return;
   }
 
-  const config = JSON.parse(configEl.innerHTML);
+  let config;
+  try {
+    config = JSON.parse(configEl.innerHTML);
+  } catch (e) {
+    return;
+  }
+
   if (!config.hideBookmarkableUrl) {
     return;
   }