MVC Application and isPassive login with multiple domain

[gioh...@hotmail.it]

Hello to all.

I have this scenario

Domain one www.domainone.com (MVC Laravel Apllication)

Domain two www.domaintwo.com (MVC Laravel Application)

IDP login.mylogin.com

I use on each domain , isPassive method to check if there is a session of the IDPs

This system is not very nice because you see a redirect in the browser's address bar, from and to the IDP.

Also this operation has to be repeated at every point in the web application where I have to check if you are still logged in , 

because the logout or login can take place either from domainone or domaintwo

There is a method such as SOAP requests to avoid these Redirect?

thank you all

George

I use this middleware in Laravel controller to verify if user is authenticated.

class HomeController extends Controller

{

    public function __construct()

    {

        $this->middleware('samlloginpassive');

    }

    public function loadPage(Request $request, $nologin=null)

    {

        if(empty($request->attributes->get('myAttribute')))

            $attributes=array();

        else

            $attributes=$request->attributes->get('myAttribute');

        return view('home',array('attributes'=>$attributes));

    }

}

Middleware

public function handle($request, Closure $next)

    {

        $as = new \SimpleSAML_Auth_Simple('default-sp');

        $attributes=array();

        if($as->isAuthenticated())

        {

            $attributes = $as->getAttributes();

        }

        else

        {

            if(!$request->session()->get('passiveAttempted'))

            {

                $as->login

                (

                    array

                    (

                        'isPassive' => TRUE,

                        'saml:idp' => env('IDP_METADATA',env('IDP_METADATA_LOCAL')),

                        'ErrorURL' => url('passive_failed/passive_failed'),

                    )

                );

            }

            else $request->session()->forget('passiveAttempted');

        }

        $request->attributes->add(['myAttribute' => $attributes]);

        return $next($request);

    }

[Peter Schober]

* gioh...@hotmail.it <gioh...@hotmail.it> [2016-08-22 15:17]:

> This system is not very nice because you see a redirect in the
> browser's address bar, from and to the IDP.

That's because you're disrupting people's workflow by sending
authentication requests to the IDP (with isPassive set, but as you've
seen that's not without side-effects). So if it hurts, stop doing it.

There's no special API defined solely for this purpose, so the
SAML-defined protocols and bindings apply just the same here.

> Also this operation has to be repeated at every point in the web
> application where I have to check if you are still logged in ,
> because the logout or login can take place either from domainone or
> domaintwo

Why care at all about the IDP session in the application protected by
an SP?

> There is a method such as SOAP requests to avoid these Redirect?

You can stop sending additional authn requests (with isPassive set),
though, that will avoid those disrupting redirects.

> I use this middleware in Laravel controller to verify if user is
> authenticated.

I don't know why you're doing what you're doing (obviously, as you
didn't say) but your application should only be concerned with a valid
SP session (not the IDP's), as that's where the attributes come
from. And unless you're trying to deploy SLO you wouldn't even need
the SP's session/data after creating an application session from
it. Just load the data from the SP into your application (at session
creation time), persist it if/as needed, and only care about the
application's own session from then on.

-peter