* Maroun Bercachi <
mber...@megeshealth.com> [2017-12-02 14:56]:
> We are outsourcing the developement of the web app to a company
> where we don't have control over the ADFS, so we cannot decide to
> make the SAML IDP accessible from everywhere or not.
I can't really parse that sentence, as the latter doesn't follow from
the former, but let's just leave it at "someone wants the IDP to be
inaccessible so that everyones' password can be exposed to more
applications outside the 'secure' company network".
> $as->requireAuth(); // THIS IS THE QUESTION: if the user is outside the
> company and tries to connect to this page, the requireAuth() redirects to
> the SAML IDP that isn't publicly accessible and generates an error, so we
> don't have control to redirect the user again to the web app main login
> page.
I don't understand what you're asking: Obviously (?) unless you know
the subject is within the company network you don't call requireAuth
with the saml:SP authsource, but do your other thing that's not
SimpleSAMLphp. (It could also be SSP, of course, e.g. you could define
another authsource to call if the subject is not on the internal
network.)
> So I don't know if before calling the requireAuth() function, we
> have the mean to check if the user is under the SAML IDP domain or
> if he has a valid session on the IDP...
Are you now asking "How do I determine whether someone connecting to
my server via HTTPS is part of some company's internal network"?
Is so that has nothing to do with SimpleSAMLphp. In general you'd need
to know the network range that identifies "internal" IP addresses
(IPv4, IPv6), plus the network range of any VPN servers or proxies
(IPv4, IPv6), and then check whether the connecting client's IP
address (e.g. REMOTE_ADDR in httpd, but if you're web server is behind
other servers/appliances this may be elsewhere) matches that range.
If you meant something else (e.g. how to determine whether some client
is part of a MS-Active Directory "domain") the answer will be
different, but equally unrelated to SimpleSAMLphp.
If you don't "have the mean to check if the user" is part of the
company's domain, then what's your question here?
First you were saying you need to check whether the client is part of
the internal network/domain and use different auth methods based on
that.
Obviously if you can't determine whether the client in fact is coming
from the internet network/domain that whole "plan" goes up in flames,
no?
I'm probably not understanding what it is you're asking.
Anyway, if you have actual questions about the SimpleSAMLphp software
that cannot be answerex by reading the documentation feel free to ask
technical questions.
-peter