SP Authorization redirect to -> Dynamic url for application Lander page.

[jef...@gmail.com]

What do I want?

We have an existing web application system, but need to handle IDP initiated requests from a client, and for minimal impact would like to have the SP redirect (once authenticated), to a known lander page with query string arguments.

I want to correctly use a process filter to redirect from an IDP intiated flow to a dynamic lander url on our application.

Our goal here is to plug into that pre-existing system.

What have you done?

I've already configured 2 saml servers, one as a standin for the client's eventual IDP, and one that will be our saml SP server.  Essentially, we will have 5 attributes delivered to us by the IDP. Our actual application/service is an estore, that already has a seamless integration system wherein for other (non-saml) clients, who take these 5 ingredient attributes and encrypt them and go to a lander that does the decryption, error handling and user creation/login system.  

Is there anything you don't understand?

I'm a little uncertain as to the *right* architecture.  I think the way I want to do this is to add a special Process filter in the SP's 'authproc.sp'  e.g. 85 => 'company:RedirectLander' and add the module/file to the SP's module directory.

Defining a class somewhat like: 

class sspmod_company_Auth_Process_RedirectLander extends SimpleSAML_Auth_ProcessingFilter 

{

...

    public  function    process(&$state) 

    {

...

     }

}

Then in that function, I can extract the authorization's attributes, and encrypt them locally in that class to redirect to http://companystore.companydomain.com/lander-url/?encrypted=<encrypted hash key>  using somethign like: 

$url = 'http://companystore.companydomain.com/lander-url/'

$params = array ( 'encrypted' => $encrypted_hash_key );

\SimpleSAML\Utils\HTTP::redirect($url, $params);

I'm pretty sure this (with some hand waving) will get the job done, but I'm not sure about jumping out of the regular flow for the saml SP server.  Is there a better way to do what I'm after?

[jef...@gmail.com]

Ok the good news, is my basic idea *appears* to be working  The only issue that I found was:

\SimpleSAML\Utils\HTTP::redirect($url, $params);

 is a private function, so I replaced that with 

\SimpleSAML\Utils\HTTP::redirectTrustedURL($url, $parameters);

I turned on debuging in the saml log, and ... I think it's ok to do what I've done.  Please let me know if I'm missing something.  Or even if I managed to do it right pretty much the first time at bat.  Thanks.

[Jaime Perez Crespo]

Hi,

You don’t have to do any of that to get redirected after authentication to a URL of your choice. If you are using SP-initiated flows, SSP will get you back to the original URL where authentication was triggered. For IdP-initiated flows, like your use case, you just need to set the RelayState configuration option in your SAML auth source:

https://simplesamlphp.org/docs/stable/saml:sp

--
Jaime Pérez
Uninett / Feide

jaime...@uninett.no
jaime...@protonmail.com
9A08 EA20 E062 70B4 616B 43E3 562A FE3A 6293 62C2

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

[Jeff Brown]

Yeah. but it needs be a dynamic url with query string arguments.  I first tried setting it in a parallel module and it didn't work.  And this *IS* getting the job done.  I was/am mostly concerned with not stepping on landmines with this solution, and near as I can tell, I seem to be okay (not exploded).

Thanks.

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:

https://simplesamlphp.org/support

Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.

Make sure to read the documentation:

https://simplesamlphp.org/docs/stable/

If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:

http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/GkdM4jY_Q0E/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

[Jaime Perez Crespo]

Hi again Jeff,

On 21 Aug 2018, at 15:37 PM, Jeff Brown <jef...@gmail.com> wrote:
> Yeah. but it needs be a dynamic url with query string arguments. I first tried setting it in a parallel module and it didn't work. And this *IS* getting the job done. I was/am mostly concerned with not stepping on landmines with this solution, and near as I can tell, I seem to be okay (not exploded).

Remember the configuration is PHP code. So whatever you are doing to generate those URLs in your module, you can do it as well in the configuration. The advantage is that it’ll be cleaner, and you won’t have any extra modules that you need to care about when upgrading.

[jef...@gmail.com]

Hmmm, I take your point, but I don't think that works for our use case, as we need to have the attribute values in the IDP's assertion decrypted, in order to encrypt them for our local store's seamless interface

[Jaime Perez Crespo]

On 21 Aug 2018, at 16:29 PM, jef...@gmail.com wrote:
> Hmmm, I take your point, but I don't think that works for our use case, as we need to have the attribute values in the IDP's assertion decrypted, in order to encrypt them for our local store's seamless interface

IIRC, attributes will be automatically decrypted (if they were encrypted at all) for you. In any case, your landing page is the one that should fetch the attributes and do whatever is needed with them. That landing page is the URL you have to set in the RelayState configuration option. After that, you can do whatever you want (redirect to a known entry point of your app, etc).

[Jeff Brown]

Yeah due to deadlines, we lack the time to re-architect it that way for the moment, but I'll keep it in mind for the future.  

My first approach was exactly as you described, but issues with sessions gave me headaches for over two weeks (I didn't know about this place at the time).  And I ended up migrating to memcache, which seemed to solve the session issues with the IDP stand in and SP server.  At which point I returned to trying to make a landing page as you described, but I was never able to get a single attribute from the remote saml connection on my lander.  At least this way, by dropping the module in place, I know I've got the right data at the right instance, and I can solve our issue for the moment.

Regarding maintenance for updates, I've made a git repository clone for our SAML servers, including a branch for our additional module, and I'm sure I can deal with that over the long haul until we do get time for a re-architect/second phase.

Thanks for your feedback.

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:

https://simplesamlphp.org/support

Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.

Make sure to read the documentation:

https://simplesamlphp.org/docs/stable/

If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:

http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to a topic in the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/GkdM4jY_Q0E/unsubscribe.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

[Jaime Perez Crespo]

Hi,

On 21 Aug 2018, at 17:41 PM, Jeff Brown <jef...@gmail.com> wrote:
> Yeah due to deadlines, we lack the time to re-architect it that way for the moment, but I'll keep it in mind for the future.
>
> My first approach was exactly as you described, but issues with sessions gave me headaches for over two weeks (I didn't know about this place at the time). And I ended up migrating to memcache, which seemed to solve the session issues with the IDP stand in and SP server. At which point I returned to trying to make a landing page as you described, but I was never able to get a single attribute from the remote saml connection on my lander.

What did your logs say?

If you were having issues with sessions, it’s likely that you also had them misconfigured. That would actually explain that error, since when you reach y our landing page at "/foo/bar.php”, your SimpleSAMLphp session set for “/simplesaml/” is not available. Of course that’s only an example, but could be the reason.

> At least this way, by dropping the module in place, I know I've got the right data at the right instance, and I can solve our issue for the moment.
>
> Regarding maintenance for updates, I've made a git repository clone for our SAML servers, including a branch for our additional module, and I'm sure I can deal with that over the long haul until we do get time for a re-architect/second phase.

I don’t think that’ll be easy to manage. If you really want to do this with a module, you should then make that module installable with composer:

https://github.com/simplesamlphp/composer-module-installer

Then you can update SimpleSAMLphp *and* your module with composer, while keeping your configuration apart. Tracking the original repo is not really recommended unless you are doing development, since you should always use stable releases.