Forced reauthentication after html button click

920 views
Skip to first unread message

Jan Chvojka

unread,
Jan 6, 2010, 8:10:26 AM1/6/10
to simple...@googlegroups.com
Hello.

I have web application in php protected with simpleSAML. I need forced
reauthentication when user clicks on button on specific html page in my
application. Have you an idea, how to do it? Any suggestion helps.

Best regards

Jan Chvojka

Olav Morken

unread,
Jan 6, 2010, 9:42:14 AM1/6/10
to simple...@googlegroups.com
On Wed, Jan 06, 2010 at 14:10:26 +0100, Jan Chvojka wrote:
> Hello.
>
> I have web application in php protected with simpleSAML. I need
> forced reauthentication when user clicks on button on specific html
> page in my application. Have you an idea, how to do it? Any
> suggestion helps.

You can force reauthentication by using the following code, but there
is currently no way to detect that the responce is received as a result
of that forced authentication:

$auth = new SimpleSAML_Auth_Simple('default-sp');
$auth->login(array(
'saml:ForceAuthn' => TRUE,
));

Unfortunately, the user can bypass this by starting a normal
authentication afterwards.

A workaround is to configure two SPs. One with 'ForceAuthn' set
to TRUE in config/authsources.php, and a different without that set.
When you need the user to authenticate again, you can switch to the
other SP.

authsources.php:

'default-sp' => array(
'saml:SP',
),
'forceauth-sp' => array(
'saml:SP',
'ForceAuthn' => TRUE,
),

Then you would normally just use:

$auth = new SimpleSAML_Auth_Simple('default-sp');
$auth->requireAuth();

But when you need to validate the username & password again, you would
use:

$auth = new SimpleSAML_Auth_Simple('forceauth-sp');
$auth->requireAuth();


I will try to add some code to make it possible without an workaround,
but I don't know how when I will have time to do that. For now, I have
added an issue to the issue tracker:

http://code.google.com/p/simplesamlphp/issues/detail?id=255

--
Olav Morken

Jan Chvojka

unread,
Jan 7, 2010, 7:12:19 AM1/7/10
to simple...@googlegroups.com
Hello.

I tried to run followed piece of code, but:

in firefox/linux it never returns from endless redirecting between my
server and IdP

in firefox/windows it ends with error "You accessed the Assertion
Consumer Service interface, but did ot provide a SAML Authentication
Response.

<code>
<?php

if($_POST['ok'] == "Ok") {
$path = ini_get('include_path');
$path .= PATH_SEPARATOR . '/usr/share/simplesamlphp/lib/';
ini_set('include_path', $path);
require_once '_autoload.php';

SimpleSAML_Configuration::setConfigDir('/usr/share/simplesamlphp/lib/config');


$auth = new SimpleSAML_Auth_Simple('default-sp');

$auth->requireAuth($opt);
}
else {
?>

<html>
<head></head>
<body>
<form action="" method="POST">
<input type="submit" name="ok" value="Ok">
</form>
</body>
</html>

<?php
}
?>
</code>

Have you ever seen this error? What I'am doing wrong?


Best regards

Jan Chvojka


Olav Morken

unread,
Jan 7, 2010, 7:29:59 AM1/7/10
to simple...@googlegroups.com
On Thu, Jan 07, 2010 at 13:12:19 +0100, Jan Chvojka wrote:
> Hello.
>
> I tried to run followed piece of code, but:
>
> in firefox/linux it never returns from endless redirecting between
> my server and IdP
>
> in firefox/windows it ends with error "You accessed the Assertion
> Consumer Service interface, but did ot provide a SAML Authentication
> Response.
>
> <code>
> <?php
>
> if($_POST['ok'] == "Ok") {

Instead of these four lines:

> $path = ini_get('include_path');
> $path .= PATH_SEPARATOR . '/usr/share/simplesamlphp/lib/';
> ini_set('include_path', $path);
> require_once '_autoload.php';

You should use:

require_once('/usr/share/simplesamlphp/lib/_autoload.php');

>
> SimpleSAML_Configuration::setConfigDir('/usr/share/simplesamlphp/lib/config');

Do you really want to save the configuration in 'lib/config/' instead
of 'config/'? If you want to use a non-standard configuration
directory, you must also update update 'www/_include.php'. Otherwise
you will end up two different configuration directories in use.

If you use '/usr/share/simplesamlphp/config' for configuration, you
can remove the setConfigDir-call, since that is the default.

--
Olav Morken

Jan Chvojka

unread,
Jan 7, 2010, 7:41:47 AM1/7/10
to simple...@googlegroups.com
Hello.

I rewrote code as you advised, but unfortunately still the same result.
Any help, please?

Rewrited code:

<code>
<?php

if($_POST['ok'] == "Ok") {

require_once '/usr/share/simplesamlphp/lib/_autoload.php';
SimpleSAML_Configuration::setConfigDir('/usr/share/simplesamlphp/config');


$auth = new SimpleSAML_Auth_Simple('default-sp');

$auth->requireAuth();

}
else {
?>

<html>
<head></head>
<body>
<form action="" method="POST">
<input type="submit" name="ok" value="Ok">
</form>
</body>
</html>

<?php
}
?>
</code>


Best regards

Jan Chvojka

Olav Morken

unread,
Jan 7, 2010, 7:46:47 AM1/7/10
to simple...@googlegroups.com
On Thu, Jan 07, 2010 at 13:41:47 +0100, Jan Chvojka wrote:
> Hello.
>
> I rewrote code as you advised, but unfortunately still the same
> result. Any help, please?

Have you looked at the log files? '/var/log/syslog',
'/var/log/messages', or something like that.

Also, you may find something relevant logged by php, probably in
'/var/log/apache/error.log' or something like that.


When using the default path, you can delete this line:

> SimpleSAML_Configuration::setConfigDir('/usr/share/simplesamlphp/config');

It shouldn't cause any problems, but it shouldn't be required either.

--
Olav Morken

Jan Chvojka

unread,
Jan 7, 2010, 12:12:22 PM1/7/10
to simple...@googlegroups.com
Hello.


In /var/log/messages is increasing amount of entries (url are hiddened):

<code>
Jan 7 16:31:13 tcs-p simplesamlphp[29698]: 6 [4833ad0e57] SAML2.0 -
SP.AssertionConsumerService: Successful response from IdP

Jan 7 16:31:13 tcs-p simplesamlphp[29698]: 5 STAT [4833ad0e57]
saml20-sp-SSO https://x.x.x/simplesaml/ https://x.x.x/idp/shibboleth NA

Jan 7 16:31:13 tcs-p simplesamlphp[29698]: 6 [4833ad0e57] SAML2.0 -
SP.AssertionConsumerService: Accessing SAML 2.0 SP endpoint
AssertionConsumerService

Jan 7 16:31:13 tcs-p simplesamlphp[29698]: 6 [4833ad0e57] SAML2.0 -
SP.AssertionConsumerService: Successful response from IdP

Jan 7 16:31:13 tcs-p simplesamlphp[29698]: 5 STAT [4833ad0e57]
saml20-sp-SSO https://x.x.x/simplesaml/
https://whoami.cesnet.cz/idp/shibboleth NA

Jan 7 16:31:13 tcs-p simplesamlphp[29698]: 6 [4833ad0e57] SAML2.0 -
SP.AssertionConsumerService: Accessing SAML 2.0 SP endpoint
AssertionConsumerService

Jan 7 16:31:13 tcs-p simplesamlphp[29698]: 6 [4833ad0e57] SAML2.0 -
SP.AssertionConsumerService: Successful response from IdP

Jan 7 16:31:13 tcs-p simplesamlphp[29698]: 5 STAT [4833ad0e57]
saml20-sp-SSO https://x.x.x/simplesaml/
https://whoami.cesnet.cz/idp/shibboleth NA

Jan 7 16:31:14 tcs-p simplesamlphp[29698]: 6 [4833ad0e57] SAML2.0 -
SP.AssertionConsumerService: Accessing SAML 2.0 SP endpoint
AssertionConsumerService
</code>


I think the problem is in class SimpleSAML_Auth_Default, function
initLogin. In code

<code>
try {
$as->authenticate($state);
} catch (SimpleSAML_Error_Exception $e) {
SimpleSAML_Auth_State::throwException($state, $e);
} catch (Exception $e) {
$e = new SimpleSAML_Error_UnserializableException($e);
SimpleSAML_Auth_State::throwException($state, $e);
}

self::loginCompleted($state);
</code>

is line self::loginCompleted($state); never executed nor exception is
catched. It seems that process somewhere dies in
$as->authenticate($state); Unfortunately, I have no idea, how to fix it.

Thank you for your time,

best regards,

Jan Chvojka


Olav Morken

unread,
Jan 8, 2010, 7:28:37 AM1/8/10
to simple...@googlegroups.com

The login operation was successful at least, but the log doesn't say
anything about why the login operation is restarted. Could you increase
the log level? Try to set 'logging.level' to LOG_DEBUG in config.php.

> I think the problem is in class SimpleSAML_Auth_Default, function
> initLogin. In code
>
> <code>
> try {
> $as->authenticate($state);
> } catch (SimpleSAML_Error_Exception $e) {
> SimpleSAML_Auth_State::throwException($state, $e);
> } catch (Exception $e) {
> $e = new SimpleSAML_Error_UnserializableException($e);
> SimpleSAML_Auth_State::throwException($state, $e);
> }
>
> self::loginCompleted($state);
> </code>
>
> is line self::loginCompleted($state); never executed nor exception
> is catched. It seems that process somewhere dies in
> $as->authenticate($state); Unfortunately, I have no idea, how to fix
> it.

What you are seeing is the normal behaviour. That function never
returns during SAML authentication. Instead, it exits with a redirect
to the IdP. The process is restarted from the AssertionConsumerService.

--
Olav Morken

Eric van Eldik

unread,
Feb 3, 2014, 6:34:34 AM2/3/14
to simple...@googlegroups.com, olav....@uninett.no

Thanx this helped me out  a lot, I used "'ForceAuthn' => TRUE," in /config/authsources.php to make sure people have to login everytime they hit the login.


Op woensdag 6 januari 2010 15:42:14 UTC+1 schreef Olav Morken:
Reply all
Reply to author
Forward
0 new messages