Authproc filter ignored when logging into php application
154 views
Skip to first unread message
badgerhill
Jan 4, 2022, 9:48:30 AM1/4/22
to SimpleSAMLphp
i have set up a global authproc filter in my config.php of my simplesamlphp to have 2fa as described here https://simplesamlphp.org/docs/stable/simplesamlphp-authproc.
login and 2fa work fine for all sp applications. (wordpress, moodle,…)
however i do have a self made php application, which does the following to login in
$as = new \SimpleSAML\Auth\Simple(‘default-sp’);
$as->requireAuth();
(taken from: https://simplesamlphp.org/docs/stable/simplesamlphp-sp)
the login (first factor) still works, however the 2nd factor, which is done by an authproc filter is never triggered.
I just do not see, where the problem is, as it works well with any third party application, but just not with my own.
any help is appreciated.
thanks
thomas
any idea?
pat...@cirrusidentity.com
Jan 4, 2022, 1:23:27 PM1/4/22
to SimpleSAMLphp
Is your global authproc under 'authproc.idp' ?
Is your self made application running on the same server as your IdP or a different server?
What is the configuration for 'default-sp'?
- Patrick
Thomas Krupa
Jan 4, 2022, 2:00:57 PM1/4/22
to simple...@googlegroups.com
hi patric,
the self made app is running on the same machine as simplesamlphp
the global authproc is in config/config.php under authproc.idp
in addition to that i have also tried to put the authproc to
metadata/saml20-idp-hosted.php with the same result.
default-sp in authsources is as follows:
'default-sp' => [
'saml:SP',
// The entity ID of this SP.
// Can be NULL/unset, in which case an entity ID is generated
based on the metadata URL.
'entityID' => null,
// The entity ID of the IdP this SP should contact.
// Can be NULL/unset, in which case the user will be shown a
list of available IdPs.
'idp' => null,
// The URL to the discovery service.
// Can be NULL/unset, in which case a builtin discovery service
will be used.
'discoURL' => null,
/*
* The attributes parameter must contain an array of desired
attributes by the SP.
* The attributes can be expressed as an array of names or as
an associative array
* in the form of 'friendlyName' => 'name'. This feature
requires 'name' to be set.
* The metadata will then be created as follows:
* <md:RequestedAttribute FriendlyName="friendlyName"
Name="name" />
*/
/*
'name' => [
'en' => 'A service',
'no' => 'En tjeneste',
],
'attributes' => [
'attrname' => 'urn:oid:x.x.x.x',
],
'attributes.required' => [
'urn:oid:x.x.x.x',
],
*/
],
thomas
On 04.01.22 19:23, pat...@cirrusidentity.com wrote:
>
> Is your global authproc under 'authproc.idp' ?
>
> Is your self made application running on the same server as your IdP or
> a different server?
> What is the configuration for 'default-sp'?
>
> - Patrick
> On Tuesday, January 4, 2022 at 6:48:30 AM UTC-8 badgerhill wrote:
>
> i have set up a global authproc filter in my config.php of my
> simplesamlphp to have 2fa as described here
> https://simplesamlphp.org/docs/stable/simplesamlphp-authproc
> <https://simplesamlphp.org/docs/stable/simplesamlphp-authproc>.
> This is a mailing list for users of SimpleSAMLphp, not a support
> service. If you are willing to buy commercial support, please take a
> look here:
>
> https://simplesamlphp.org/support <https://simplesamlphp.org/support>
>
> Before sending your question, make sure it is related to SimpleSAMLphp,
> and not your web server's configuration or any other third-party
> software. This mailing list cannot help with software that uses
> SimpleSAMLphp, only regarding SimpleSAMLphp itself.
>
> Make sure to read the documentation:
>
> https://simplesamlphp.org/docs/stable/
> <https://simplesamlphp.org/docs/stable/>
>
> If you have an issue with SimpleSAMLphp that you cannot resolve and
> reading the documentation doesn't help, you are more than welcome to ask
> here for help. Subscribe to the list and send an email with your
> question. However, you will be expected to comply with some minimum,
> common sense standards in your questions. Please read this carefully:
>
> http://catb.org/~esr/faqs/smart-questions.html
> <http://catb.org/~esr/faqs/smart-questions.html>
> ---
> You received this message because you are subscribed to the Google
> Groups "SimpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to simplesamlph...@googlegroups.com
> <mailto:simplesamlph...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/simplesamlphp/dbc00566-d9f5-4cf8-a200-fdbe6a863627n%40googlegroups.com
> <https://groups.google.com/d/msgid/simplesamlphp/dbc00566-d9f5-4cf8-a200-fdbe6a863627n%40googlegroups.com?utm_medium=email&utm_source=footer>.
the self made app is running on the same machine as simplesamlphp
the global authproc is in config/config.php under authproc.idp
in addition to that i have also tried to put the authproc to
metadata/saml20-idp-hosted.php with the same result.
default-sp in authsources is as follows:
'default-sp' => [
'saml:SP',
// The entity ID of this SP.
// Can be NULL/unset, in which case an entity ID is generated
based on the metadata URL.
'entityID' => null,
// The entity ID of the IdP this SP should contact.
// Can be NULL/unset, in which case the user will be shown a
list of available IdPs.
'idp' => null,
// The URL to the discovery service.
// Can be NULL/unset, in which case a builtin discovery service
will be used.
'discoURL' => null,
/*
* The attributes parameter must contain an array of desired
attributes by the SP.
* The attributes can be expressed as an array of names or as
an associative array
* in the form of 'friendlyName' => 'name'. This feature
requires 'name' to be set.
* The metadata will then be created as follows:
* <md:RequestedAttribute FriendlyName="friendlyName"
Name="name" />
*/
/*
'name' => [
'en' => 'A service',
'no' => 'En tjeneste',
],
'attributes' => [
'attrname' => 'urn:oid:x.x.x.x',
],
'attributes.required' => [
'urn:oid:x.x.x.x',
],
*/
],
thomas
On 04.01.22 19:23, pat...@cirrusidentity.com wrote:
>
> Is your global authproc under 'authproc.idp' ?
>
> Is your self made application running on the same server as your IdP or
> a different server?
> What is the configuration for 'default-sp'?
>
> - Patrick
> On Tuesday, January 4, 2022 at 6:48:30 AM UTC-8 badgerhill wrote:
>
> i have set up a global authproc filter in my config.php of my
> simplesamlphp to have 2fa as described here
> https://simplesamlphp.org/docs/stable/simplesamlphp-authproc
>
> login and 2fa work fine for all sp applications. (wordpress, moodle,…)
> however i do have a self made php application, which does the
> following to login in
>
> $as = new \SimpleSAML\Auth\Simple(‘default-sp’);
> $as->requireAuth();
>
> (taken from: https://simplesamlphp.org/docs/stable/simplesamlphp-sp
> <https://simplesamlphp.org/docs/stable/simplesamlphp-sp>)
> login and 2fa work fine for all sp applications. (wordpress, moodle,…)
> however i do have a self made php application, which does the
> following to login in
>
> $as = new \SimpleSAML\Auth\Simple(‘default-sp’);
> $as->requireAuth();
>
> (taken from: https://simplesamlphp.org/docs/stable/simplesamlphp-sp
>
> the login (first factor) still works, however the 2nd factor, which
> is done by an authproc filter is never triggered.
>
> I just do not see, where the problem is, as it works well with any
> third party application, but just not with my own.
>
> any help is appreciated.
>
> thanks
>
> thomas
>
> any idea?
>
> --
> the login (first factor) still works, however the 2nd factor, which
> is done by an authproc filter is never triggered.
>
> I just do not see, where the problem is, as it works well with any
> third party application, but just not with my own.
>
> any help is appreciated.
>
> thanks
>
> thomas
>
> any idea?
>
> This is a mailing list for users of SimpleSAMLphp, not a support
> service. If you are willing to buy commercial support, please take a
> look here:
>
> https://simplesamlphp.org/support <https://simplesamlphp.org/support>
>
> Before sending your question, make sure it is related to SimpleSAMLphp,
> and not your web server's configuration or any other third-party
> software. This mailing list cannot help with software that uses
> SimpleSAMLphp, only regarding SimpleSAMLphp itself.
>
> Make sure to read the documentation:
>
> https://simplesamlphp.org/docs/stable/
> <https://simplesamlphp.org/docs/stable/>
>
> If you have an issue with SimpleSAMLphp that you cannot resolve and
> reading the documentation doesn't help, you are more than welcome to ask
> here for help. Subscribe to the list and send an email with your
> question. However, you will be expected to comply with some minimum,
> common sense standards in your questions. Please read this carefully:
>
> http://catb.org/~esr/faqs/smart-questions.html
> <http://catb.org/~esr/faqs/smart-questions.html>
> ---
> You received this message because you are subscribed to the Google
> Groups "SimpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to simplesamlph...@googlegroups.com
> <mailto:simplesamlph...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/simplesamlphp/dbc00566-d9f5-4cf8-a200-fdbe6a863627n%40googlegroups.com
> <https://groups.google.com/d/msgid/simplesamlphp/dbc00566-d9f5-4cf8-a200-fdbe6a863627n%40googlegroups.com?utm_medium=email&utm_source=footer>.
pat...@cirrusidentity.com
Jan 4, 2022, 7:21:39 PM1/4/22
to SimpleSAMLphp
Hi Thomas,
I'm not sure the cause of that IdP authproc not running. Does the SP have an authproc with the same priority defined in saml20-sp-remote.php? I don't recall what SSP behavior is if you have two
authprocs with the same priority when it merges all the different locations that they could be defined. I assume that you are logging in to the test SP with the IdP that you have 2fa enabled on :) ?
- Patrick
Thomas Krupa
Jan 5, 2022, 1:59:49 AM1/5/22
to simple...@googlegroups.com
hi patrick,
i have also tried to change the priority, so that there is no "merge
conflict".
i found one interesting statement on
https://simplesamlphp.org/docs/stable/simplesamlphp-authproc though:
Note: An Auth Proc Filter will not work in the "Test authentication
sources" option in the web UI of a SimpleSAMLphp IdP. It will only be
triggered in conjunction with an actual SP. So you need to set up an IdP
and a SP when testing your filter.
so it seems that the login of the test authentication sources behaves
exactly as the login of my local self made app using these lines.
$as = new \SimpleSAML\Auth\Simple(‘default-sp’);
$as->requireAuth();
so the question is how do i change my local app to be a service provider
and use simplesamlphp as my idp. i did not find any code examples for that.
thanks
thomas
> <https://groups.google.com/d/msgid/simplesamlphp/dbc00566-d9f5-4cf8-a200-fdbe6a863627n%40googlegroups.com?utm_medium=email&utm_source=footer
> <https://groups.google.com/d/msgid/simplesamlphp/dbc00566-d9f5-4cf8-a200-fdbe6a863627n%40googlegroups.com?utm_medium=email&utm_source=footer>>.
> https://groups.google.com/d/msgid/simplesamlphp/492ae5c5-0d88-4657-9b0e-3f15077da947n%40googlegroups.com
> <https://groups.google.com/d/msgid/simplesamlphp/492ae5c5-0d88-4657-9b0e-3f15077da947n%40googlegroups.com?utm_medium=email&utm_source=footer>.
i have also tried to change the priority, so that there is no "merge
conflict".
i found one interesting statement on
https://simplesamlphp.org/docs/stable/simplesamlphp-authproc though:
Note: An Auth Proc Filter will not work in the "Test authentication
sources" option in the web UI of a SimpleSAMLphp IdP. It will only be
triggered in conjunction with an actual SP. So you need to set up an IdP
and a SP when testing your filter.
so it seems that the login of the test authentication sources behaves
exactly as the login of my local self made app using these lines.
$as = new \SimpleSAML\Auth\Simple(‘default-sp’);
$as->requireAuth();
and use simplesamlphp as my idp. i did not find any code examples for that.
thanks
thomas
> <https://groups.google.com/d/msgid/simplesamlphp/dbc00566-d9f5-4cf8-a200-fdbe6a863627n%40googlegroups.com?utm_medium=email&utm_source=footer>>.
> <https://groups.google.com/d/msgid/simplesamlphp/492ae5c5-0d88-4657-9b0e-3f15077da947n%40googlegroups.com?utm_medium=email&utm_source=footer>.
Reply all
Reply to author
Forward
0 new messages