Re: Keep "deep links" into SP when linking from one IdP:s login page to another
400 views
Skip to first unread message
Peter Schober
Jan 30, 2013, 6:23:36 AM1/30/13
to simple...@googlegroups.com
* Palle Girgensohn <gir...@pingpong.net> [2013-01-29 22:05]:
> Now, if the users initially linked to
> https://sp.example.com/deep/link/path.html, I'd need to get the deep link
> from the session information.
>
> How? I just cannot find it stored anywhere? Is it only stored in the SP?
It might well be. The spec only says that the IdP must pass back the
RelayState to the SP unmodified, IIRC. It /does/ not mandate it to be
a URL (which it is with SimpleSAMLphp; also this has privacy
implications since the IDP can know exacty what URL you're accessing
at the SP), so this is implementation specific and will not work with
every SP.
-peter
> Now, if the users initially linked to
> https://sp.example.com/deep/link/path.html, I'd need to get the deep link
> from the session information.
>
> How? I just cannot find it stored anywhere? Is it only stored in the SP?
It might well be. The spec only says that the IdP must pass back the
RelayState to the SP unmodified, IIRC. It /does/ not mandate it to be
a URL (which it is with SimpleSAMLphp; also this has privacy
implications since the IDP can know exacty what URL you're accessing
at the SP), so this is implementation specific and will not work with
every SP.
-peter
Palle Girgensohn
Jan 30, 2013, 6:30:58 AM1/30/13
to simple...@googlegroups.com, simple...@googlegroups.com
A question here, are there any good docs for setting up an Idp centric DS. I.e it should default to a specific idp, that should be implicitally remembered as the preferred choice for this user, and on the *login page* for the primary idp, there would be an option to choose another IdP, or chose from a list, using DS.
>
> --
> You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
Peter Schober
Jan 30, 2013, 6:47:39 AM1/30/13
to simple...@googlegroups.com
* Palle Girgensohn <gir...@pingpong.net> [2013-01-30 12:31]:
is. Assuming authnRequests are nore signed you could either construct
your own AuthenRequest to the other IDP (in the name of the SP),
sticking the RelayState in there, or, if the other IDP supports it,
start an IDP-initiated flow pointing to the SP (though I'm not sure
this can include the RelayState since technically with IDP-initiated
there cannot be state at the SP).
So try to figure out how to get at the RelayState parameter within the
SSP API first, IMHO still got options to make this work the way you
intened to.
> A question here, are there any good docs for setting up an Idp
> centric DS. I.e it should default to a specific idp, that should be
> implicitally remembered as the preferred choice for this user, and
> on the *login page* for the primary idp, there would be an option to
> choose another IdP, or chose from a list, using DS.
With SAML2 DS the flow is from SP -> DS -> SP -> IDP (i.e., from DS
back to the SP) so where this is hosted would be irrelevant as long as
it's accessible without any state or as part of a protocol exchage (so
the IDP's login page probably does't qualify).
Any DS worth mentioning will be able to default to one IdP and also
remember a subject's previous choice. It's just the part where you
want this to happen on the IdP login page that might prove to be
difficult. But maybe it's not.
-peter
> The SP in this case I Shibboleth. And it has privacy
> implications. It should probably jot be accessible on the idp. I had
> hoped I would be able to send the RealyState back together with an
> entityid parameter, but this does not seem to work. Leaves me with
> the option to set up proper DS.
Maybe I misspoke. It doesn't matter what the value of the RelayState
> implications. It should probably jot be accessible on the idp. I had
> hoped I would be able to send the RealyState back together with an
> entityid parameter, but this does not seem to work. Leaves me with
> the option to set up proper DS.
is. Assuming authnRequests are nore signed you could either construct
your own AuthenRequest to the other IDP (in the name of the SP),
sticking the RelayState in there, or, if the other IDP supports it,
start an IDP-initiated flow pointing to the SP (though I'm not sure
this can include the RelayState since technically with IDP-initiated
there cannot be state at the SP).
So try to figure out how to get at the RelayState parameter within the
SSP API first, IMHO still got options to make this work the way you
intened to.
> A question here, are there any good docs for setting up an Idp
> centric DS. I.e it should default to a specific idp, that should be
> implicitally remembered as the preferred choice for this user, and
> on the *login page* for the primary idp, there would be an option to
> choose another IdP, or chose from a list, using DS.
back to the SP) so where this is hosted would be irrelevant as long as
it's accessible without any state or as part of a protocol exchage (so
the IDP's login page probably does't qualify).
Any DS worth mentioning will be able to default to one IdP and also
remember a subject's previous choice. It's just the part where you
want this to happen on the IdP login page that might prove to be
difficult. But maybe it's not.
-peter
Palle Girgensohn
Feb 14, 2013, 4:11:21 PM2/14/13
to simple...@googlegroups.com
I found a way to achieve my goal, to get deep link to work when linking
från one idp to another from the IdP login page.
I got the saml:RelayState from the session, and used it as a target
parameter back to the SP, together with an entityId parameter pointing
to selected IdP.
in modules/pingpong/themes/MY_THEME/core/loginuserpass.php
at the top, add
$authStateId = $_REQUEST['AuthState'];
/* Retrieve the authentication state. */
$state = SimpleSAML_Auth_State::loadState($authStateId,
sspmod_core_Auth_UserPassBase::STAGEID);
/* get the Relaystate to use as target, so deep links will work when
selecting a different IdP */
$target = $state['saml:RelayState'];
Then add link somehwere to the other IdP
<a
href="https://sp.example.com/Shibboleth.sso/Login?entityID=http%3A%2F%2FTheEntityIDOfTheOtherIdP&target=<?php
echo urlencode($target); ?>">Use other IdP to authenticate</a>
Hope this helps someone.
Cheers,
Palle
från one idp to another from the IdP login page.
I got the saml:RelayState from the session, and used it as a target
parameter back to the SP, together with an entityId parameter pointing
to selected IdP.
in modules/pingpong/themes/MY_THEME/core/loginuserpass.php
at the top, add
$authStateId = $_REQUEST['AuthState'];
/* Retrieve the authentication state. */
$state = SimpleSAML_Auth_State::loadState($authStateId,
sspmod_core_Auth_UserPassBase::STAGEID);
/* get the Relaystate to use as target, so deep links will work when
selecting a different IdP */
$target = $state['saml:RelayState'];
Then add link somehwere to the other IdP
<a
href="https://sp.example.com/Shibboleth.sso/Login?entityID=http%3A%2F%2FTheEntityIDOfTheOtherIdP&target=<?php
echo urlencode($target); ?>">Use other IdP to authenticate</a>
Hope this helps someone.
Cheers,
Palle
Reply all
Reply to author
Forward
0 new messages