Simplesamlphp check if user has session on IdP

[Michal Zuber]

I apologize if this was solved somewhere, but I can't found solution.

I tried code from https://groups.google.com/d/msg/simplesamlphp/k8KSZN916KM/3-buwpft0_0J 

Need help with identifying on SP side if user has authenticated on IdP. Infrastructure (everything on one shared hosting):

login.domain.com (IdP)

www.domain.com (SP)

www.domain2.com (SP)

From domain.com I'm redirected to login.domain.com (IdP) where I successfully login and be redirected to domain.com. I open site domain2.com (SP) and want to be authenticated, without the need to click on login, be redirected to IdP and back (without typing username, pass).

HTTP-Artifact is the solution, or some kind of SOAP solution? Tried with cURL and than read that it can't be done with cURL.

Tried memcache with same session.cookie.domain = 'domain.com';

Is there a solution to get auth session from the IdP, something like when I log in to Gmail and than click on Youtube I'm already logged in without clicking on log in.

Logout works out of the box.

Big thanks for any suggestions, ideas.

[Olav Morken]

On Tue, Apr 24, 2012 at 11:34:02 -0700, Michal Zuber wrote:
>
>
> I apologize if this was solved somewhere, but I can't found solution.
>
> I tried code
> from https://groups.google.com/d/msg/simplesamlphp/k8KSZN916KM/3-buwpft0_0J

But it did not work? In what way dit it fail?

> Need help with identifying on SP side if user has authenticated on IdP.
> Infrastructure (everything on one shared hosting):
>
> login.domain.com (IdP)
>
> www.domain.com (SP)
>
> www.domain2.com (SP)
>
> From domain.com I'm redirected to login.domain.com (IdP) where I
> successfully login and be redirected to domain.com. I open site domain2.com
> (SP) and want to be authenticated, without the need to click on login, be
> redirected to IdP and back (without typing username, pass).
>
> HTTP-Artifact is the solution, or some kind of SOAP solution? Tried with
> cURL and than read that it can't be done with cURL.

cURL does not have access to the cookies of the user's browser, so it
will not work. SOAP suffers from the same problem. HTTP-Artifact is
just a different method to transport a response to the SP.

> Tried memcache with same session.cookie.domain = 'domain.com';

But the other SP is on domain2.com, so you cannot share a cookie with
it.

> Is there a solution to get auth session from the IdP, something like when I
> log in to Gmail and than click on Youtube I'm already logged in without
> clicking on log in.

Passive requests should be able to do it, as described in the link you
included.

(Youtube / Gmail actually runs som requests in order to set up a
cross-domain session transparently. Take a look at it with a request
logger.)

Best regards,
Olav Morken
UNINETT / Feide

[Michal Zuber]

Many thanks for clarification.

My issue is that I need only to check if session exists on IdP.

The visitor should be able to use the page without authenticating, 

but if he logged in at IdP from another SP after visiting another SP the visitor should be authenticated.

With the code below the issue is that login is required and not optional, visitor is always required to login.

The code I'm using on SP side:

    // Check if user is logged in

    require WB_PATH . '/include/simplesamlphp/lib/_autoload.php';

    $SAML = new SimpleSAML_Auth_Simple('default-sp');

    if (!$SAML->isAuthenticated() && !isset($_SESSION['checkedLogin'])) {

        $_SESSION['checkedLogin'] = true;

        $SAML->login(array(

            'IsPassive' => true,

            'ErrorURL' => $SAML->getLoginURL(),

        ));

        if ($SAML->isAuthenticated()) {

            $attributes = $SAML->getAttributes();

            $_SESSION['USER_ID'] = $attributes['user_id'][0];

            $_SESSION['GROUP_ID'] = $attributes['group_id'][0];

            $_SESSION['GROUPS_ID'] = $attributes['groups_id'][0];

            $_SESSION['USERNAME'] = $attributes['username'][0];

            $_SESSION['DISPLAY_NAME'] = $attributes['display_name'][0];

            $_SESSION['EMAIL'] = $attributes['urn:oid:1.2.840.113549.1.9.1'][0];

        }

        else {

            $_SESSION['USER_ID'] = null;

            $_SESSION['GROUP_ID'] = null;

            $_SESSION['GROUPS_ID'] = null;

            $_SESSION['USERNAME'] = null;

            $_SESSION['PAGE_PERMISSIONS'] = null;

            $_SESSION['SYSTEM_PERMISSIONS'] = null;

        }

    }

[Olav Morken]

On Thu, Apr 26, 2012 at 04:43:21 -0700, Michal Zuber wrote:
> Many thanks for clarification.
>
> My issue is that I need only to check if session exists on IdP.
> The visitor should be able to use the page without authenticating,
> but if he logged in at IdP from another SP after visiting another SP the
> visitor should be authenticated.
> With the code below the issue is that login is required and not optional,
> visitor is always required to login.
>
> The code I'm using on SP side:
>
> // Check if user is logged in
> require WB_PATH . '/include/simplesamlphp/lib/_autoload.php';
> $SAML = new SimpleSAML_Auth_Simple('default-sp');
>
> if (!$SAML->isAuthenticated() && !isset($_SESSION['checkedLogin'])) {
> $_SESSION['checkedLogin'] = true;
> $SAML->login(array(
> 'IsPassive' => true,
> 'ErrorURL' => $SAML->getLoginURL(),

This ErrorURL does not make sense - you are basically telling it to
retry the authentication if passive authentication fails?

> ));

Note that this function actually redirects you to the IdP. Thus, the
code below will never run.

>
> if ($SAML->isAuthenticated()) {
> $attributes = $SAML->getAttributes();
> $_SESSION['USER_ID'] = $attributes['user_id'][0];
> $_SESSION['GROUP_ID'] = $attributes['group_id'][0];
> $_SESSION['GROUPS_ID'] = $attributes['groups_id'][0];
> $_SESSION['USERNAME'] = $attributes['username'][0];
> $_SESSION['DISPLAY_NAME'] = $attributes['display_name'][0];
> $_SESSION['EMAIL'] =
> $attributes['urn:oid:1.2.840.113549.1.9.1'][0];

Storing this data in the session is not recommended, since it doesn't
handle logout very well.

> }
> else {
> $_SESSION['USER_ID'] = null;
> $_SESSION['GROUP_ID'] = null;
> $_SESSION['GROUPS_ID'] = null;
> $_SESSION['USERNAME'] = null;
> $_SESSION['PAGE_PERMISSIONS'] = null;
> $_SESSION['SYSTEM_PERMISSIONS'] = null;
> }
> }

[Michal Zuber]

Thanks, I really appreciate your time trying to help me.

What is your suggestion or how would you approach this scenario, if it can be done with SimpleSAMLPHP?

3 SPs with 1 IdP

I'm on SP1, login on IdP and be redirected back to SP1. I'm browsing on the web on SP1, than I go to

another domain, SP2 and be logged in (this is solved with isPassive).

I logout on SP2 and want to browse the web unauthenticated without always be redirected to IdP to check user is authenticated.

I know that there needs to be a reqeust to the IdP, but could it be seemless for the visitor like the Google and Youtube auth process ?

I just want to be user friendly without always redirecting to IdP.

I'm using memcache, can be the session shared somehow?

[Michal Zuber]

I ended up with is code:

if (!defined('SESSION_STARTED')) {

session_name('dopytovysk_session_id');

session_start();

define('SESSION_STARTED', true);

}

    require PATH . '/include/simplesamlphp/lib/_autoload.php';

    $SAML = new SimpleSAML_Auth_Simple('default-sp');

    if ($SAML->isAuthenticated()) {

        $attributes = $SAML->getAttributes();

        $_SESSION['USER_ID'] = $attributes['user_id'][0];

        $_SESSION['GROUP_ID'] = $attributes['group_id'][0];

        $_SESSION['GROUPS_ID'] = $attributes['groups_id'][0];

        $_SESSION['USERNAME'] = $attributes['username'][0];

        $_SESSION['DISPLAY_NAME'] = $attributes['display_name'][0];

        $_SESSION['EMAIL'] = $attributes['urn:oid:1.2.840.113549.1.9.1'][0];

    }

    else {

        $_SESSION['USER_ID'] = null;

        $_SESSION['GROUP_ID'] = null;

        $_SESSION['GROUPS_ID'] = null;

        $_SESSION['USERNAME'] = null;

        $_SESSION['PAGE_PERMISSIONS'] = null;

        $_SESSION['SYSTEM_PERMISSIONS'] = null;

        if (!isset($_SESSION['checkedLogin'])) {

            $returnTo = urlencode($_SERVER['REQUEST_URI']);

            $SAML->login(array(

                'isPassive' => true,

                'ErrorURL' => URL . "/saml-login-check.php?ReturnTo=$returnTo",

            ));

        }

        else {

            unset($_SESSION['checkedLogin']);

        }

    }

saml-login-check.php:

if (!isset($_REQUEST['ReturnTo'])) {

    die('Missing ReturnTo URL.');

}

session_name('appname_session_id');

session_start();

$_SESSION['checkedLogin'] = $_SERVER['REQUEST_TIME'];

header('Location: ' . (string) $_REQUEST['ReturnTo']);

exit;

[roh...@ideoris.com.au]

Hi Michael,

We are in the same boat as you and wanted to know if you manage to get this working?

again, we have SP1 authenticated to IDP and when a user goes to SP2, then we want the user to be auto logged in without having to click on Login link

Doing some research, there are solutions from OpenAM and Oracle Enterprise SSO, which seems to provide this solution.

Any help would be really appreciated.

Thanks

Rohit

[Peter Schober]

* roh...@ideoris.com.au <roh...@ideoris.com.au> [2013-11-22 08:53]:

> We are in the same boat as you and wanted to know if you manage to
> get this working?

You're quoting below the reply on how he got it working (never mind
that you replied to an 1.5 year old thread).

> Doing some research, there are solutions from OpenAM and Oracle
> Enterprise SSO, which seems to provide this solution.

The desired behaviour is included in the SAML2 standard and
implemented by (among others) SimpleSAMLphp.
-peter

[roh...@ideoris.com.au]

thanks peter for your reply.

Sorry I am still trying to find a solution and hence trying to read topics and trying to seek an answer. No luck thus far. It seems like what we want to achieve is not possible.

Can you please let me know if we can have a way to check if the user who is on domain2.com, is authenticated at idp? we have multiple tld's and hence cross browser cookie problem.

R

[Peter Schober]

* roh...@ideoris.com.au <roh...@ideoris.com.au> [2013-11-23 01:44]:

> Can you please let me know if we can have a way to check if the user
> who is on domain2.com, is authenticated at idp? we have multiple
> tld's and hence cross browser cookie problem.

You send a standard SAML2.0 autnhentication request to the IdP, with
isPassive set.
-peter

[Roland Haroutiounian]

I tried this solution but if the user is not authentified, Im redirected to an error page with this error : 

Caused by: SimpleSAML_Error_NoPassive: Passive authentication not supported.

[Peter Schober]

* Roland Haroutiounian <rolan...@gmail.com> [2013-11-27 09:15]:

> I tried this solution but if the user is not authentified, Im redirected to
> an error page with this error :
>
> Caused by: SimpleSAML_Error_NoPassive: Passive authentication not supported.

I think SSP allows you to catch this error and continue, but others
will have to give you the API details. *But* since you said in the
other thread that you only have /one/ IdP for your two SPs, if that
one IdP does not support isPassive, well, then obviously you can't use
isPassive.
So subjects will always need to click "log in" on every SP if they
want to log in. After establishing a session with the IdP every
further "log in" call on any additional SP will lead to SSO and hence
no additional "work".
-peter

[Roland Haroutiounian]

Where do you configure this parameter ? I'm sorry, i'm a newbie in simplesamlphp. :)

Thanks

[Peter Schober]

* Roland Haroutiounian <rolan...@gmail.com> [2013-11-28 09:20]:

> Where do you configure this parameter ? I'm sorry, i'm a newbie in
> simplesamlphp. :)

What "this parameter"?
-peter

[Roland Haroutiounian]

The isPassive one.

[Peter Schober]

* Roland Haroutiounian <rolan...@gmail.com> [2013-11-28 11:11]:
> > What "this parameter"?
>
> The isPassive one.

Did you even read what I wrote before? (The sentence starting with
*But* and everything after that.) You sent an error message from
the IdP saying the IdP *does* *not* *support* *passive* authentication.
So you can't use it with that IdP and you said that's your only
IdP. So end of story. What part of that is unclear?

Also you said that you already tried it (hence that specific error
message, how else would you get that?) so I still don't know what
"parameter" about isPassive you want to know about.

But just keep on answering in half-sentences, you'll see how that will
increase the motivation of others trying to guess what *your* problem
might be and invest their time for free/gratis to help you solve
*your* problem.
-peter

[be...@me.com]

As far as I know, there is no such parameter. I think that the passive support in simpleSamlPhp could do with better documentation. I quickly searched through the simpleSamlPhp code, and I found this:

"Modules with user interaction are expected to throw an SimpleSAML_Error_NoPassive exception”

however, UserPassBase.php doesn’t seem to throw one.

My guess is that you use some module for authentication, filtering or something else that doesn’t support passive authentication.
The full error trace will likely reveal more information on this. Does the error occur on the IdP or the SP?
Do you use any filters? What kind of authentication source do you use at the IdP side?

--
Best regards,
Yørn de Jong

> --
> You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at http://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/groups/opt_out.

[Roland Haroutiounian]

Here is the error trace I get : 

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
0 /home/roland/DEV/Genesis/symfony/vendor/Mailclub/saml-bundle/Mailclub/SamlBundle/Lib/simplesamlphp/www/module.php:180 (N/A)
Caused by: SimpleSAML_Error_NoPassive: Passive authentication not supported.
Backtrace:
2 /home/roland/DEV/Genesis/symfony/vendor/Mailclub/saml-bundle/Mailclub/SamlBundle/Lib/simplesamlphp/modules/saml/lib/Error.php:161 (sspmod_saml_Error::toException)
1 /home/roland/DEV/Genesis/symfony/vendor/Mailclub/saml-bundle/Mailclub/SamlBundle/Lib/simplesamlphp/modules/saml/www/sp/saml2-acs.php:78 (require)
0 /home/roland/DEV/Genesis/symfony/vendor/Mailclub/saml-bundle/Mailclub/SamlBundle/Lib/simplesamlphp/www/module.php:135 (N/A)
Caused by: sspmod_saml_Error: Responder/NoPassive: Passive authentication not supported.
Backtrace:
3 /home/roland/DEV/Genesis/symfony/vendor/Mailclub/saml-bundle/Mailclub/SamlBundle/Lib/simplesamlphp/modules/saml/lib/Message.php:371 (sspmod_saml_Message::getResponseError)
2 /home/roland/DEV/Genesis/symfony/vendor/Mailclub/saml-bundle/Mailclub/SamlBundle/Lib/simplesamlphp/modules/saml/lib/Message.php:498 (sspmod_saml_Message::processResponse)
1 /home/roland/DEV/Genesis/symfony/vendor/Mailclub/saml-bundle/Mailclub/SamlBundle/Lib/simplesamlphp/modules/saml/www/sp/saml2-acs.php:75 (require)
0 /home/roland/DEV/Genesis/symfony/vendor/Mailclub/saml-bundle/Mailclub/SamlBundle/Lib/simplesamlphp/www/module.php:135 (N/A)

[be...@me.com]

You don’t tell if this happens on the SP or IdP, but from context I would say that this error comes from the SP (simplesamlphp inside a symfony installation).
From what I gather from this error message, the SP sends a request to the IdP to initiate a passive login but the IdP answers with an assertion that it is not able or willing to do so. I would thus think that the problem lies in the IdP, but I can’t see that the problem is from this trace as the IdP doesn’t give a stack trace.

As I wrote in my previous mail, you probably use some module on your IdP that doesn’t support passive authentication. I would recommend that you try disabling modules that you enabled yourself but that you don’t really need, to see if that solves the problem. If you find the culprit, see if there is some way you can reconfigure that module to allow passive logins.

--
Best regards,
Yørn de Jong

[Roland Haroutiounian]

I also think it comes from the IdP, I'll look this way.

Thanks for your help.

[Peter Schober]

* Roland Haroutiounian <rolan...@gmail.com> [2013-11-28 12:01]:

> I also think it comes from the IdP, I'll look this way.

No need to "think", I've told you exactly that twice before, in this
thread, and in very untechnical prose.
But we don't even know what software the IdP is running, or version,
or anything else one could use to help you.
-peter

[comel]

SimpleSAML_Error_NoPassive is thrown when passive (without user interaction) authentication is not possible, i.e. user is not already logged in, and not that IdP does not support passive authentication at all. On the SP side this exception should be catched, and executed whatever is wanted.

[be...@me.com]

Thanks comel! I didn’t know that. I thought that passive meant that you can get a negative answer, but that the user would never be prompted with anything.

The way I understand it now is that throwing SimpleSAML_Error_NoPassive is the equivalent of saying “there is no assertion that this user is logged on, and i’m not going to ask since i’m running in passive mode”.

In that case, Roland could just catch the error on the SP side and then treat the session as not logged-on. If the error does not occur, use the usual code to determine if the user is logged on. However, I don’t know if simpleSamlPhp allows this; the example code earlier in this thread seemed to suggest that there would be no exception whatsoever; the assertion simply wouldn’t say “authenticated”.

--
Best regards, 
Yørn de Jong 

[Peter Schober]

* comel <andjelko.h...@gmail.com> [2013-11-28 13:47]:

> SimpleSAML_Error_NoPassive is thrown when passive (without user
> interaction) authentication is not possible, i.e. user is not already
> logged in, and not that IdP does not support passive authentication at all.

Then I have misread the error message "Passive authentication not
supported.". My bad. The rest still stands, of course.

> On the SP side this exception should be catched, and executed
> whatever is wanted.

Obviously I don't understand what most of this thread is about then
since the thread started out with hi-jacking an old thread that
already contained the example code with which you catch the
exception. So if that was available to the OP why all the questions?

https://groups.google.com/forum/#!topic/simplesamlphp/ZShrlg68sTM
also seems to have examples for that.
-peter

[comel]

Actually SimpleSAML_Error_NoPassive exception is the "negative" answer (i.e. user is not authenticated), and user is not prompted on IdP with anything, exception is thrown on the SP side and should be handled there.

[andreas...@gmail.com]

I have the same requirement as the OP: I want users to be logged in automatically when they switch from one domain to another. Plus most of our pages can be viewed with or without authentication. The content simply varies by the authentication status. I know that this thread is old. Nevertheless does it contain the code that helped me develop a solution. It's close to how the OP solved the problem, but different enough for me to think it's worth sharing.

In the main page, "isAuthenticated" is called to determine, if there is a valid authentication. If so, a logout button is displayed. Once clicked, the IdP-logout page is called in a dialog. After closing the dialog, the page gets reloaded. If there is no authentication, a sub-page is loaded in an iframe in which "requireAuth" is called. If there is an authentication available from another SP, the authentication is granted and the sub-page is called again. Since "requireAuth" now returns, the initially called main page gets reloaded. Here, "isAuthenticated" returns true now.
If there is no authentication available from another SP, the login-box of the IdP is shown in the iframe. Once the user logs in, the process works again like described above. The only drawback is that the IdP-login page is loaded with every page of each SP when not logged in.

So here is the code of the "main" page:

<?php 
require_once (__DIR__ . '/simplesaml/_include.php');
$as = new SimpleSAML_Auth_Simple('bx-sp');
$isAuthenticated = $as->isAuthenticated();
print "isAuthenticated: " . ($isAuthenticated ? "yes" : "no") . "\n";
?>
<html>
  <head>
    <meta charset="utf-8"> 
    <title>Page with login</title>
    <link rel="stylesheet" href="//code.jquery.com/ui/1.11.1/themes/smoothness/jquery-ui.css">
    <script type="text/javascript" src="//code.jquery.com/jquery-1.11.1.js"></script>
    <script type="text/javascript" src="//code.jquery.com/ui/1.11.1/jquery-ui.js"></script>
<? if ($isAuthenticated) { ?>
    <script>
       function opendialog(page) {
          var $dialog = $('#logoutOverlay')
          .html('<iframe style="border: 0px; " src="' + page + '" width="100%" height="100%"></iframe>')
          .dialog({
            title: "Logout",
            autoOpen: false,
            dialogClass: 'dialog_fixed,ui-widget-header',
            modal: true,
            height: 270,
            minWidth: 400,
            minHeight: 270,
            draggable:true,
            close: function () {
                location.reload();
            },
            buttons: { 
                "Ok": 
                    function () {
                        $(this).dialog("close");
                    }
           }
          });
          $dialog.dialog('open');
        } 
    </script>
  </head>
  <body>
  <div style="cursor: pointer;" id="logoutButton">Logout!</div>
  <script>
        $("#logoutButton").click(function() {
          opendialog("http://www.mysp.de/simplesaml/module.php/core/authenticate.php?as=default-sp&logout");
        });
  </script>
  <div id="logoutOverlay"></div>
<? } else { ?>
  </head>
  <body>
    <div style="cursor: pointer;" id="loginButton">Show Login Box</div>
    <div id="loginBox" style="visibility: hidden; width: 0px; height: 0px;">
        <iframe style="border: 0px;" src="simpleSamlAuth.php" width="100%" height="100%"></iframe>
    </div>
    <span id="statusFeld">Visibility: hidden<span>
    <script>
        function toggleLoginBox() {
            if ($('#loginBox').is(":visible") ) {
                $('#loginBox').hidden();
            } else {
                $('#loginBox').visible();
            }
        }

        (function($) {
            $.fn.hidden = function() {
                $('#statusFeld').html('Visibility: hidden');
                return this.each(function() {
                    $(this).css("visibility", "hidden");
                    $(this).css("width", "0");
                    $(this).css("height", "0");
                });
            };
            $.fn.visible = function() {
                $('#statusFeld').html('Visibility: visible');
                return this.each(function() {
                    $(this).css("visibility", "visible");
                    $(this).css("width", "auto");
                    $(this).css("height", "auto");
                });
            };
        }(jQuery));

        $("#loginButton").click(function() {
            toggleLoginBox();
        });
    </script>
<? } ?>
  </body>
</html>


And the code of the sub-page:

<?php 
require_once (__DIR__ . '/simplesaml/_include.php');
$as = new SimpleSAML_Auth_Simple('default-sp');
$as->requireAuth();
?>
<script>
    window.parent.location.reload();
</script>


Any comments and hints are more than welcome, but - up to now, it's only a test page and far from being perfect, so please be kind... ;-)