Re: How to create username/password form?
700 views
Skip to first unread message
Emmanuel Dreyfus
Aug 10, 2012, 8:36:59 AM8/10/12
to simple...@googlegroups.com
On Fri, Aug 10, 2012 at 05:33:22AM -0700, megaloman wrote:
> I believe it would be just a simple form which needs to be posted directly
> to the idP... but I cannot find any examples :-/
The idea of identity federations is that the user interract with its IdP,
and you never see his login/passsword. You should not post a form on behalf
of the user, perhaps this is why there are few ewamples of such an usage.
--
Emmanuel Dreyfus
ma...@netbsd.org
> I believe it would be just a simple form which needs to be posted directly
> to the idP... but I cannot find any examples :-/
The idea of identity federations is that the user interract with its IdP,
and you never see his login/passsword. You should not post a form on behalf
of the user, perhaps this is why there are few ewamples of such an usage.
--
Emmanuel Dreyfus
ma...@netbsd.org
megaloman
Aug 10, 2012, 8:40:42 AM8/10/12
to simple...@googlegroups.com
Hello,
Yes, that was my understanding. Though, they have asked me "to send a post request to the idP". They work primarily with microsoft solutions, when I said I was using simpleSAMLphp, they've freaked out a bit :)
thanks anyway,
m.
Yes, that was my understanding. Though, they have asked me "to send a post request to the idP". They work primarily with microsoft solutions, when I said I was using simpleSAMLphp, they've freaked out a bit :)
thanks anyway,
m.
Emmanuel Dreyfus
Aug 10, 2012, 8:43:13 AM8/10/12
to simple...@googlegroups.com
On Fri, Aug 10, 2012 at 05:40:42AM -0700, megaloman wrote:
> Yes, that was my understanding. Though, they have asked me "to send a post
> request to the idP". They work primarily with microsoft solutions, when I
> said I was using simpleSAMLphp, they've freaked out a bit :)
You (welll, simpleSAMLphp) send to the user a page that posts the SAML
> Yes, that was my understanding. Though, they have asked me "to send a post
> request to the idP". They work primarily with microsoft solutions, when I
> said I was using simpleSAMLphp, they've freaked out a bit :)
request to the IdP. Then the IdP presents the user a login form,but
you are not involved here. Once the form is validated the IdP causes
the user to post the SAML reply to your SP.
--
Emmanuel Dreyfus
ma...@netbsd.org
megaloman
Aug 10, 2012, 8:50:15 AM8/10/12
to simple...@googlegroups.com
at the moment, idP sends user back to the login page hosted on my SP.
I guess I would need to embed a form login idP via an iframe, how do I request a login form?
Emmanuel Dreyfus
Aug 10, 2012, 8:52:00 AM8/10/12
to simple...@googlegroups.com
On Fri, Aug 10, 2012 at 05:50:15AM -0700, megaloman wrote:
> at the moment, idP sends user back to the login page hosted on my SP.
That seems wrong. Perhaps the IdP validated your identity and the
> at the moment, idP sends user back to the login page hosted on my SP.
SP allows you to access the ressource, which happens to be a login form?
--
Emmanuel Dreyfus
ma...@netbsd.org
megaloman
Aug 10, 2012, 8:55:12 AM8/10/12
to simple...@googlegroups.com
On Friday, August 10, 2012 1:52:00 PM UTC+1, Emmanuel Dreyfus wrote:
On Fri, Aug 10, 2012 at 05:50:15AM -0700, megaloman wrote:
> at the moment, idP sends user back to the login page hosted on my SP.
That seems wrong. Perhaps the IdP validated your identity and the
SP allows you to access the ressource, which happens to be a login form?
They have asked me for the url to the login page. Users normally wouldn't see that page -- login form used to be at the top of every page.
Many thanks,
m.
Dick Visser
Aug 21, 2012, 10:23:19 AM8/21/12
to simple...@googlegroups.com
On 10 August 2012 14:33, megaloman <marek....@gmail.com> wrote:
> Hello,
>
> I work on a website which authenticates users with a remote auth centre. So
> basically my app is a service provider.
OK
> Till now, we used to authenticate users using soap requests, but the
> supplier of the authentication centre (idP) is switching to SAML.
> So far I've successfully installed the simpleSAMLphp library and managed to
> bind it to the idP -- using a test page, when I click the 'default-sp', it
> redirects me to the idP's servers and than it redirects me back to my login
> page.
This is not OK. You should be redirected to the IdP server and that
machine should do the authentication.
You are not involved in any way.
One the auth goes OK, you get sent redirected back to your SP.
That is the whole concept - your SP doesn't and shouldn't need any
authentication data.
--
Dick Visser
System & Networking Engineer
TERENA Secretariat
Singel 468 D, 1017 AW Amsterdam
The Netherlands
> Hello,
>
> I work on a website which authenticates users with a remote auth centre. So
> basically my app is a service provider.
OK
> Till now, we used to authenticate users using soap requests, but the
> supplier of the authentication centre (idP) is switching to SAML.
> So far I've successfully installed the simpleSAMLphp library and managed to
> bind it to the idP -- using a test page, when I click the 'default-sp', it
> redirects me to the idP's servers and than it redirects me back to my login
> page.
This is not OK. You should be redirected to the IdP server and that
machine should do the authentication.
You are not involved in any way.
One the auth goes OK, you get sent redirected back to your SP.
That is the whole concept - your SP doesn't and shouldn't need any
authentication data.
--
Dick Visser
System & Networking Engineer
TERENA Secretariat
Singel 468 D, 1017 AW Amsterdam
The Netherlands
Bill Bohling
Sep 4, 2012, 11:57:32 AM9/4/12
to simple...@googlegroups.com
I'm trying to do the same thing in a Drupal site. I've got things working with the login link that sends the user to an idP form, the user logs in at the idP and is redirected back to my Drupal site, where they show as now being logged in. The client saw that and said "Great, now replace that login link with a login form so the user doesn't see that they're going back and forth between domains." So, I've now got a form on my site that takes a username and password and tries to send them to the idP via the form action attribute.
<form action="https://example.org/simplesaml/module.php/core/loginuserpass.php?AuthState=form-LR48ZXne9TmTermxoFzuaXr1md0xRxlBo3aSAl4JHVs" method="post" id="user-login-form" accept-charset="UTF-8">
<input type="text" id="edit-username" name="username" value="" size="15" maxlength="60" class="form-text required" />
<input type="password" id="edit-password" name="password" size="15" maxlength="60" class="form-text required" />
<input type="submit" id="edit-submit" name="op" value="Login" class="form-submit" />
</form>
Where I'm currently stuck is what URL I need to put into that form action attribute so the request goes to the right place.
So my questions are:
Is this possible?
If so, what should my action be?
thanks,
Bill
On Friday, August 10, 2012 5:33:22 AM UTC-7, megaloman wrote:
<form action="https://example.org/simplesaml/module.php/core/loginuserpass.php?AuthState=form-LR48ZXne9TmTermxoFzuaXr1md0xRxlBo3aSAl4JHVs" method="post" id="user-login-form" accept-charset="UTF-8">
<input type="text" id="edit-username" name="username" value="" size="15" maxlength="60" class="form-text required" />
<input type="password" id="edit-password" name="password" size="15" maxlength="60" class="form-text required" />
<input type="submit" id="edit-submit" name="op" value="Login" class="form-submit" />
</form>
Where I'm currently stuck is what URL I need to put into that form action attribute so the request goes to the right place.
So my questions are:
Is this possible?
If so, what should my action be?
thanks,
Bill
On Friday, August 10, 2012 5:33:22 AM UTC-7, megaloman wrote:
Hello,
I work on a website which authenticates users with a remote auth centre. So basically my app is a service provider.
Till now, we used to authenticate users using soap requests, but the supplier of the authentication centre (idP) is switching to SAML.
So far I've successfully installed the simpleSAMLphp library and managed to bind it to the idP -- using a test page, when I click the 'default-sp', it redirects me to the idP's servers and than it redirects me back to my login page.
Now my issue there is -- idP requries me to send a request with username and a password... but I do not know how to prepare that form.
Does anyone have any examples?
I believe it would be just a simple form which needs to be posted directly to the idP... but I cannot find any examples :-/
Many thanks in advance!
m.
megaloman
Sep 4, 2012, 12:23:00 PM9/4/12
to simple...@googlegroups.com
Hello Bill,
On Tuesday, September 4, 2012 4:57:32 PM UTC+1, Bill Bohling wrote:
I was stuck with same question and after getting better understanding of how SAML works in general I would say it's not possible.
Our workaround for the issue was a javascript library which loaded an overlay directly from the idP -- overlay popup looks consistent across other websites.
Have a look at the way google has implemented saml authentication -- whenever you need to login with google, you get a google's login page -- that makes you feel safer as you trust google, but you may not trust other websites. same is with a facebook login -- whenever you click 'login with facebook' it would open a new window / popup with facebook's page.
Hope that helps,
Marek
On Tuesday, September 4, 2012 4:57:32 PM UTC+1, Bill Bohling wrote:
(...)
So my questions are:
Is this possible?
If so, what should my action be?
I was stuck with same question and after getting better understanding of how SAML works in general I would say it's not possible.
Our workaround for the issue was a javascript library which loaded an overlay directly from the idP -- overlay popup looks consistent across other websites.
Have a look at the way google has implemented saml authentication -- whenever you need to login with google, you get a google's login page -- that makes you feel safer as you trust google, but you may not trust other websites. same is with a facebook login -- whenever you click 'login with facebook' it would open a new window / popup with facebook's page.
Hope that helps,
Marek
Dick Visser
Sep 5, 2012, 9:05:46 AM9/5/12
to simple...@googlegroups.com
On 4 September 2012 17:57, Bill Bohling <bgbo...@gmail.com> wrote:
> <form
> action="https://example.org/simplesaml/module.php/core/loginuserpass.php?AuthState=form-LR48ZXne9TmTermxoFzuaXr1md0xRxlBo3aSAl4JHVs"
> method="post" id="user-login-form" accept-charset="UTF-8">
> <input type="text" id="edit-username" name="username" value="" size="15"
> maxlength="60" class="form-text required" />
> <input type="password" id="edit-password" name="password" size="15"
> maxlength="60" class="form-text required" />
> <input type="submit" id="edit-submit" name="op" value="Login"
> class="form-submit" />
> </form>
So here you'll know the user's login and password.
> <form
> action="https://example.org/simplesaml/module.php/core/loginuserpass.php?AuthState=form-LR48ZXne9TmTermxoFzuaXr1md0xRxlBo3aSAl4JHVs"
> method="post" id="user-login-form" accept-charset="UTF-8">
> <input type="text" id="edit-username" name="username" value="" size="15"
> maxlength="60" class="form-text required" />
> <input type="password" id="edit-password" name="password" size="15"
> maxlength="60" class="form-text required" />
> <input type="submit" id="edit-submit" name="op" value="Login"
> class="form-submit" />
> </form>
Every once in a while people find themselves doing this - or having to do this.
However, the whole idea of SAML is to prevent stuff like this from happening.
So while it might work, it should be considered a form of phising, and
hence Bad Practise.
Therefore the correct way to respond to a client saying "Great, now
replace that login link with a login form", is by denying the request
;-)
ireneri...@gmail.com
Apr 28, 2020, 6:58:05 PM4/28/20
to SimpleSAMLphp
O
Reply all
Reply to author
Forward
0 new messages