I have web application in php protected with simpleSAML. I need forced
reauthentication when user clicks on button on specific html page in my
application. Have you an idea, how to do it? Any suggestion helps.
Best regards
Jan Chvojka
You can force reauthentication by using the following code, but there
is currently no way to detect that the responce is received as a result
of that forced authentication:
$auth = new SimpleSAML_Auth_Simple('default-sp');
$auth->login(array(
'saml:ForceAuthn' => TRUE,
));
Unfortunately, the user can bypass this by starting a normal
authentication afterwards.
A workaround is to configure two SPs. One with 'ForceAuthn' set
to TRUE in config/authsources.php, and a different without that set.
When you need the user to authenticate again, you can switch to the
other SP.
authsources.php:
'default-sp' => array(
'saml:SP',
),
'forceauth-sp' => array(
'saml:SP',
'ForceAuthn' => TRUE,
),
Then you would normally just use:
$auth = new SimpleSAML_Auth_Simple('default-sp');
$auth->requireAuth();
But when you need to validate the username & password again, you would
use:
$auth = new SimpleSAML_Auth_Simple('forceauth-sp');
$auth->requireAuth();
I will try to add some code to make it possible without an workaround,
but I don't know how when I will have time to do that. For now, I have
added an issue to the issue tracker:
http://code.google.com/p/simplesamlphp/issues/detail?id=255
--
Olav Morken
I tried to run followed piece of code, but:
in firefox/linux it never returns from endless redirecting between my
server and IdP
in firefox/windows it ends with error "You accessed the Assertion
Consumer Service interface, but did ot provide a SAML Authentication
Response.
<code>
<?php
if($_POST['ok'] == "Ok") {
$path = ini_get('include_path');
$path .= PATH_SEPARATOR . '/usr/share/simplesamlphp/lib/';
ini_set('include_path', $path);
require_once '_autoload.php';
SimpleSAML_Configuration::setConfigDir('/usr/share/simplesamlphp/lib/config');
$auth = new SimpleSAML_Auth_Simple('default-sp');
$auth->requireAuth($opt);
}
else {
?>
<html>
<head></head>
<body>
<form action="" method="POST">
<input type="submit" name="ok" value="Ok">
</form>
</body>
</html>
<?php
}
?>
</code>
Have you ever seen this error? What I'am doing wrong?
Best regards
Jan Chvojka
Instead of these four lines:
> $path = ini_get('include_path');
> $path .= PATH_SEPARATOR . '/usr/share/simplesamlphp/lib/';
> ini_set('include_path', $path);
> require_once '_autoload.php';
You should use:
require_once('/usr/share/simplesamlphp/lib/_autoload.php');
>
> SimpleSAML_Configuration::setConfigDir('/usr/share/simplesamlphp/lib/config');
Do you really want to save the configuration in 'lib/config/' instead
of 'config/'? If you want to use a non-standard configuration
directory, you must also update update 'www/_include.php'. Otherwise
you will end up two different configuration directories in use.
If you use '/usr/share/simplesamlphp/config' for configuration, you
can remove the setConfigDir-call, since that is the default.
--
Olav Morken
I rewrote code as you advised, but unfortunately still the same result.
Any help, please?
Rewrited code:
<code>
<?php
if($_POST['ok'] == "Ok") {
require_once '/usr/share/simplesamlphp/lib/_autoload.php';
SimpleSAML_Configuration::setConfigDir('/usr/share/simplesamlphp/config');
$auth = new SimpleSAML_Auth_Simple('default-sp');
$auth->requireAuth();
}
else {
?>
<html>
<head></head>
<body>
<form action="" method="POST">
<input type="submit" name="ok" value="Ok">
</form>
</body>
</html>
<?php
}
?>
</code>
Best regards
Jan Chvojka
Have you looked at the log files? '/var/log/syslog',
'/var/log/messages', or something like that.
Also, you may find something relevant logged by php, probably in
'/var/log/apache/error.log' or something like that.
When using the default path, you can delete this line:
> SimpleSAML_Configuration::setConfigDir('/usr/share/simplesamlphp/config');
It shouldn't cause any problems, but it shouldn't be required either.
--
Olav Morken
In /var/log/messages is increasing amount of entries (url are hiddened):
<code>
Jan 7 16:31:13 tcs-p simplesamlphp[29698]: 6 [4833ad0e57] SAML2.0 -
SP.AssertionConsumerService: Successful response from IdP
Jan 7 16:31:13 tcs-p simplesamlphp[29698]: 5 STAT [4833ad0e57]
saml20-sp-SSO https://x.x.x/simplesaml/ https://x.x.x/idp/shibboleth NA
Jan 7 16:31:13 tcs-p simplesamlphp[29698]: 6 [4833ad0e57] SAML2.0 -
SP.AssertionConsumerService: Accessing SAML 2.0 SP endpoint
AssertionConsumerService
Jan 7 16:31:13 tcs-p simplesamlphp[29698]: 6 [4833ad0e57] SAML2.0 -
SP.AssertionConsumerService: Successful response from IdP
Jan 7 16:31:13 tcs-p simplesamlphp[29698]: 5 STAT [4833ad0e57]
saml20-sp-SSO https://x.x.x/simplesaml/
https://whoami.cesnet.cz/idp/shibboleth NA
Jan 7 16:31:13 tcs-p simplesamlphp[29698]: 6 [4833ad0e57] SAML2.0 -
SP.AssertionConsumerService: Accessing SAML 2.0 SP endpoint
AssertionConsumerService
Jan 7 16:31:13 tcs-p simplesamlphp[29698]: 6 [4833ad0e57] SAML2.0 -
SP.AssertionConsumerService: Successful response from IdP
Jan 7 16:31:13 tcs-p simplesamlphp[29698]: 5 STAT [4833ad0e57]
saml20-sp-SSO https://x.x.x/simplesaml/
https://whoami.cesnet.cz/idp/shibboleth NA
Jan 7 16:31:14 tcs-p simplesamlphp[29698]: 6 [4833ad0e57] SAML2.0 -
SP.AssertionConsumerService: Accessing SAML 2.0 SP endpoint
AssertionConsumerService
</code>
I think the problem is in class SimpleSAML_Auth_Default, function
initLogin. In code
<code>
try {
$as->authenticate($state);
} catch (SimpleSAML_Error_Exception $e) {
SimpleSAML_Auth_State::throwException($state, $e);
} catch (Exception $e) {
$e = new SimpleSAML_Error_UnserializableException($e);
SimpleSAML_Auth_State::throwException($state, $e);
}
self::loginCompleted($state);
</code>
is line self::loginCompleted($state); never executed nor exception is
catched. It seems that process somewhere dies in
$as->authenticate($state); Unfortunately, I have no idea, how to fix it.
Thank you for your time,
best regards,
Jan Chvojka
The login operation was successful at least, but the log doesn't say
anything about why the login operation is restarted. Could you increase
the log level? Try to set 'logging.level' to LOG_DEBUG in config.php.
> I think the problem is in class SimpleSAML_Auth_Default, function
> initLogin. In code
>
> <code>
> try {
> $as->authenticate($state);
> } catch (SimpleSAML_Error_Exception $e) {
> SimpleSAML_Auth_State::throwException($state, $e);
> } catch (Exception $e) {
> $e = new SimpleSAML_Error_UnserializableException($e);
> SimpleSAML_Auth_State::throwException($state, $e);
> }
>
> self::loginCompleted($state);
> </code>
>
> is line self::loginCompleted($state); never executed nor exception
> is catched. It seems that process somewhere dies in
> $as->authenticate($state); Unfortunately, I have no idea, how to fix
> it.
What you are seeing is the normal behaviour. That function never
returns during SAML authentication. Instead, it exits with a redirect
to the IdP. The process is restarted from the AssertionConsumerService.
--
Olav Morken