Hi,
On 16 Nov 2017, at 04:00 AM,
stpe...@hotmail.com wrote:
> Is the problem that the process has to go to the SP first to start the session for simplesamlphp to capture and then let the IDP log the user in and return to the SP?
No, you don’t need to have already a session in the SP for IdP-initiated SSO to work.
> Is the problem here that the idea of "IDP-initiated" SSO's is not that you start on the IDP?
It doesn’t matter how you reach the IdP. In IdP initiated, you have a URL in the IdP that you can visit to trigger authentication and be redirected to the SP. How you reach your URL is irrelevant.
> I just see how the assertion posted to the acs.php URL for the SP can be retrieved. I still must be missing something. I just don't know what.
Have you looked at the (SimpleSAMLphp) logs? If you are getting the assertion back but isAuthenticated() returns false, there must be some problem while processing the assertion. You need to check the logs.
> On Wednesday, November 15, 2017 at 3:03:03 PM UTC-5,
stpe...@hotmail.com wrote:
>> I have an external IDP that my SP is connected to (exchanging metadata with). An SSO works just fine with a particular flow--if I send a request to the IDP from the SP to check if I am authenticated I can determine if I am or not and I can get the attributes and complete the SSO.
>>
>> However, I cannot figure out how to determine if the user is logged in when the person lands on my site coming from the IDP first. That is, the process is always going to be that the user goes to the IDP (and logs in etc), redirects to the SP and the SP should let them in. However, I cannot get the session that the IDP sets. isAuthenticated() ALWAYS returns FALSE. If I use something like SAML tracer I see that the IDP does send me an assertion when the user is redirected to my SP.
>>
>> So this works (and does not show the user the IDP log in page as they are loggedin already):
>> $auth = new SimpleSAML_Auth_Simple($this->spname);
>> $auth->requireAuth();
>> $attributes = $auth->getAttributes();
>>
>> But this does not work (as isAuthenticated() already shows FALSE)
>> $auth = new SimpleSAML_Auth_Simple($this->spname);
>> $auth->isAuthenticated()
>> $attributes = $auth->getAttributes();
>>
>> So what API do I use on my SP for this?
—
Jaime Pérez
UNINETT / Feide
jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost