Re: [simplesamlphp-users] Authenticate user from outside the ADFS domain
164 views
Skip to first unread message
Message has been deleted
Peter Schober
Dec 1, 2017, 3:40:50 PM12/1/17
to SimpleSAMLphp
* Maroun Bercachi <mber...@megeshealth.com> [2017-12-01 20:05]:
> I have a web application that uses SimpleSAMLphp to authenticate users
> inside a company.
OK.
> When a user needs to access the web app from within the company
> (under the federation server domain), it is automatically
> authenticated and redirected to his main dashboard inside the web
> app. So till now, all works very good. I'm facing a problem: when a
> user needs to access the web app from outside the company (not under
> the federation server domain), I need to automatically redirect him
> to the main Login page of the web app (to enter his username and
> password), and not to the federation service URL. Because if he
> tries to access the web app from outside the company, he receives an
> error (page cannot be displayed or not found) after the
> SimpleSAMLphp redirects him to the federation service URL which is
> not publicly accessible.
I'm assuming you're running SimplSAMLphp as a SAML Service Provider
(SP)? What is the Identity Provider (IDP), then, probably MS-ADFS
acting as SAML 2.0 IDP?
So with "the federation service URL" you mean the SAML IDP or the
login page at the SAML IDP?
My general advise would be to make your SAML IDP accessible from
everywhere equally and to handle the risk in other ways than using
firewalls (MFA, managed devices, etc.)
Since that won't be easily achievable (otherwise the org would not
enforce such policies) one alternative would be requiring the use of a
VPN, before even starting to log in/on anywhere. Then the SP can
continue sending you to the "internal" SAML IDP and nothing needs to
change.
(Of course VPN clients suck and SAML can enable secure resource access
independently of location. If you let it.)
SimpleSAMLphp certainly allows you to do literally what you wanted,
even though that's a bit silly[1]: SimpleSAMLphp's SP API allows you
to trigger a SAML authentication request whenever you want, so
evaluating the clients IP range and then deciding what flow
(authsource) to trigger is very much possible.
Of course you're free to do something else (current auth method in the
application) if the client connects from outside a certain IP range.
You don't mention how authentication is triggered now (nor any other
technical detail, we don't even know what protocol you're using) so
here are a few pointers to the SP documentation:
https://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_6
https://simplesamlphp.org/docs/stable/saml:sp
and the SP API:
https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api
-peter
[1] If the application is accessible outside your network it hardly
improves security by allowing username + password authentication
directly at an exposed application, potentially exposing your
passwords to the application and to the "oh so insecure" network.
> I have a web application that uses SimpleSAMLphp to authenticate users
> inside a company.
OK.
> When a user needs to access the web app from within the company
> (under the federation server domain), it is automatically
> authenticated and redirected to his main dashboard inside the web
> app. So till now, all works very good. I'm facing a problem: when a
> user needs to access the web app from outside the company (not under
> the federation server domain), I need to automatically redirect him
> to the main Login page of the web app (to enter his username and
> password), and not to the federation service URL. Because if he
> tries to access the web app from outside the company, he receives an
> error (page cannot be displayed or not found) after the
> SimpleSAMLphp redirects him to the federation service URL which is
> not publicly accessible.
I'm assuming you're running SimplSAMLphp as a SAML Service Provider
(SP)? What is the Identity Provider (IDP), then, probably MS-ADFS
acting as SAML 2.0 IDP?
So with "the federation service URL" you mean the SAML IDP or the
login page at the SAML IDP?
My general advise would be to make your SAML IDP accessible from
everywhere equally and to handle the risk in other ways than using
firewalls (MFA, managed devices, etc.)
Since that won't be easily achievable (otherwise the org would not
enforce such policies) one alternative would be requiring the use of a
VPN, before even starting to log in/on anywhere. Then the SP can
continue sending you to the "internal" SAML IDP and nothing needs to
change.
(Of course VPN clients suck and SAML can enable secure resource access
independently of location. If you let it.)
SimpleSAMLphp certainly allows you to do literally what you wanted,
even though that's a bit silly[1]: SimpleSAMLphp's SP API allows you
to trigger a SAML authentication request whenever you want, so
evaluating the clients IP range and then deciding what flow
(authsource) to trigger is very much possible.
Of course you're free to do something else (current auth method in the
application) if the client connects from outside a certain IP range.
You don't mention how authentication is triggered now (nor any other
technical detail, we don't even know what protocol you're using) so
here are a few pointers to the SP documentation:
https://simplesamlphp.org/docs/stable/simplesamlphp-sp#section_6
https://simplesamlphp.org/docs/stable/saml:sp
and the SP API:
https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api
-peter
[1] If the application is accessible outside your network it hardly
improves security by allowing username + password authentication
directly at an exposed application, potentially exposing your
passwords to the application and to the "oh so insecure" network.
Message has been deleted
Peter Schober
Dec 2, 2017, 9:23:21 AM12/2/17
to SimpleSAMLphp
* Maroun Bercachi <mber...@megeshealth.com> [2017-12-02 14:56]:
> We are outsourcing the developement of the web app to a company
> where we don't have control over the ADFS, so we cannot decide to
> make the SAML IDP accessible from everywhere or not.
I can't really parse that sentence, as the latter doesn't follow from
the former, but let's just leave it at "someone wants the IDP to be
inaccessible so that everyones' password can be exposed to more
applications outside the 'secure' company network".
> $as->requireAuth(); // THIS IS THE QUESTION: if the user is outside the
> company and tries to connect to this page, the requireAuth() redirects to
> the SAML IDP that isn't publicly accessible and generates an error, so we
> don't have control to redirect the user again to the web app main login
> page.
I don't understand what you're asking: Obviously (?) unless you know
the subject is within the company network you don't call requireAuth
with the saml:SP authsource, but do your other thing that's not
SimpleSAMLphp. (It could also be SSP, of course, e.g. you could define
another authsource to call if the subject is not on the internal
network.)
> So I don't know if before calling the requireAuth() function, we
> have the mean to check if the user is under the SAML IDP domain or
> if he has a valid session on the IDP...
Are you now asking "How do I determine whether someone connecting to
my server via HTTPS is part of some company's internal network"?
Is so that has nothing to do with SimpleSAMLphp. In general you'd need
to know the network range that identifies "internal" IP addresses
(IPv4, IPv6), plus the network range of any VPN servers or proxies
(IPv4, IPv6), and then check whether the connecting client's IP
address (e.g. REMOTE_ADDR in httpd, but if you're web server is behind
other servers/appliances this may be elsewhere) matches that range.
If you meant something else (e.g. how to determine whether some client
is part of a MS-Active Directory "domain") the answer will be
different, but equally unrelated to SimpleSAMLphp.
If you don't "have the mean to check if the user" is part of the
company's domain, then what's your question here?
First you were saying you need to check whether the client is part of
the internal network/domain and use different auth methods based on
that.
Obviously if you can't determine whether the client in fact is coming
from the internet network/domain that whole "plan" goes up in flames,
no?
I'm probably not understanding what it is you're asking.
Anyway, if you have actual questions about the SimpleSAMLphp software
that cannot be answerex by reading the documentation feel free to ask
technical questions.
-peter
> We are outsourcing the developement of the web app to a company
> where we don't have control over the ADFS, so we cannot decide to
> make the SAML IDP accessible from everywhere or not.
I can't really parse that sentence, as the latter doesn't follow from
the former, but let's just leave it at "someone wants the IDP to be
inaccessible so that everyones' password can be exposed to more
applications outside the 'secure' company network".
> $as->requireAuth(); // THIS IS THE QUESTION: if the user is outside the
> company and tries to connect to this page, the requireAuth() redirects to
> the SAML IDP that isn't publicly accessible and generates an error, so we
> don't have control to redirect the user again to the web app main login
> page.
I don't understand what you're asking: Obviously (?) unless you know
the subject is within the company network you don't call requireAuth
with the saml:SP authsource, but do your other thing that's not
SimpleSAMLphp. (It could also be SSP, of course, e.g. you could define
another authsource to call if the subject is not on the internal
network.)
> So I don't know if before calling the requireAuth() function, we
> have the mean to check if the user is under the SAML IDP domain or
> if he has a valid session on the IDP...
Are you now asking "How do I determine whether someone connecting to
my server via HTTPS is part of some company's internal network"?
Is so that has nothing to do with SimpleSAMLphp. In general you'd need
to know the network range that identifies "internal" IP addresses
(IPv4, IPv6), plus the network range of any VPN servers or proxies
(IPv4, IPv6), and then check whether the connecting client's IP
address (e.g. REMOTE_ADDR in httpd, but if you're web server is behind
other servers/appliances this may be elsewhere) matches that range.
If you meant something else (e.g. how to determine whether some client
is part of a MS-Active Directory "domain") the answer will be
different, but equally unrelated to SimpleSAMLphp.
If you don't "have the mean to check if the user" is part of the
company's domain, then what's your question here?
First you were saying you need to check whether the client is part of
the internal network/domain and use different auth methods based on
that.
Obviously if you can't determine whether the client in fact is coming
from the internet network/domain that whole "plan" goes up in flames,
no?
I'm probably not understanding what it is you're asking.
Anyway, if you have actual questions about the SimpleSAMLphp software
that cannot be answerex by reading the documentation feel free to ask
technical questions.
-peter
Reply all
Reply to author
Forward
Message has been deleted
0 new messages