Select source on multiauth

[Jeremy Hutchings]

Hi all,

I'm having a few issues getting a source select on a multiauth to work.

I can get a login URL from the SP and land on the IdP and then auth fine ......... though I know which method I want, and would like to add the ?source=facebook so the user doesn’t have to choose.

I've gone though this a few times : http://simplesamlphp.org/docs/1.10/multiauth:multiauth

Though which redirections is it talking about here  :

"but this works only if you don't have redirections during the authentification process."

Anyone have any clues, or been though this before ?

Thanks

J

[Jeremy Hutchings]

I appears that the generated link of :

http://sp.example.com/auth/module.php/core/as_login.php?AuthId=multiauth&ReturnTo=http%3A%2F%2Fsp/example.com%2Fdashboard&source=facebook">my facebook link</a>

Dosn't pass the param to any where in $lots.

http://login.example.com/auth/module.php/multiauth/selectsource.php?AuthState={$lots}

Any one worked with this before ?

Thanks
J

[Laas Toom]

Hi, Jeremy!

Multiauth supports GET parameter 'source' which it passes to the 'selectsource.php' redirect which then defaults to that source automatically.

You should be able to generate URL with the source parameter:

https://your.site/idp/saml2/idp/SSOService.php?source=facebook&SAMLRequest=…

And if multiauth is configured as the default auth source, it should redirect you to the appropriate auth source page.

NOTE: I've tested it on my a bit modified multiauth setup, but the 'source' param is from the vanilla code and should work for you too.

--

Laas Toom

--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Jeremy Hutchings]

Hey Laas,

Thanks for helping out !

The current flow I have is sp.example.com -> idp.example.com -> facebook (and then back with the auth).

Clicking though it all works fine, though it gives the multiselect page on the idp, when I know it's Facebook that is wanted (i.e. they've clicked the "sign in with facebook" link), hence me investigating source= to improve the user experience.

Using getLoginURL : http://simplesamlphp.org/docs/1.10/simplesamlphp-sp-api#section_8

Gives me a link gets me to the IDP of course, though appending any "&source=facebook" there (to the loginURL), gets stripped.

The manual does mention if you're using redirects it wont work, though I'm not such "which" redirect it's referring too atm.

Cheers
Jeremy

[Laas Toom]

On 02.05.2013, at 19:05, Jeremy Hutchings <em...@jeremyhutchings.com> wrote:

Using getLoginURL : http://simplesamlphp.org/docs/1.10/simplesamlphp-sp-api#section_8 

Gives me a link gets me to the IDP of course, though appending any "&source=facebook" there (to the loginURL), gets stripped.

Sorry, I did not think through that you would need to use SP-side APIs to construct this URL.

The problem is that MultiAuth takes the 'source' attribute directly from  $_GET, therefore it needs to be a direct parameter of the redirect URL (and not part of the request).

The quickest fix for you would be to patch HTTPRedirect::getRedirectURL() method which is responsible for building the URL. Just add:

$msg .= '&source=' . $_GET['source'] ;

Right before the $msg is appended to $destination and you should be on your way.

NOTE: this will break upgradability to upstream, as you would need to patch every time.

PS. Of course the proper way would probably be to move the param from $_GET into $state right in 'as_login.php' (which is the entry point) and extract it somewhere later, but HTTPRedirect does not get to see $state, only SAML2_Message instance.

Maybe somebody from dev team can point a better way how to resolve it.

Best,

Laas Toom

[Jeremy Hutchings]

I've ended up making it part of the return URL and detecting that in the URL in selectsource.php and switching $source as it seems it can't be passed though with a redirect.

Cheers for the ideas though.

--
You received this message because you are subscribed to a topic in the Google Groups "simpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/9QAJXhZ8b1o/unsubscribe?hl=en.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.

To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

--
_________________________
Cheers
Jeremy Hutchings

[Amit Deshpande]

Hi Laas,

           The option to modify the HTTPRedirect::getRedirecturl worked well for me.

Many Thanks for sharing these pointers.

Cheers,

Amit