How to get/request attributes from IdP - without forcing login
378 views
Skip to first unread message
Martyn Bissett
Oct 1, 2014, 10:17:25 PM10/1/14
to simple...@googlegroups.com
I have the following minimal code for an index page:
<?php // index.php
require_once('../simplesamlphp/lib/_autoload.php');
$authService = new SimpleSAML_Auth_Simple('default-sp');
//$authService->requireAuth(); // commented out
$attributes = $authService->getAttributes();
// render page....
I don't want to use requireAuth here because it is quite acceptable for the user to view the index page without having to login. If I use requireAuth it will force the user to login, right.
BUT, if I have already logged in using another SP (by the way, the other SP also authenticates against the same IdP as this SP does). If I load this page, it doesn't fetch the attributes from the IdP. I have to uncomment requireAuth THEN it will fetch the attributes. This is fine if the user has already logged into the IdP. But if not, and they haven't logged in, requireAuth will force them to. I don't want this. I only want to fetch attributes - if they exist, otherwise it's fine for now (no login required for this page).
Is it possible to get attributes for a current session from IdP, but if the user hasn't yet logged in - don't force them - can I do this? I'm sure I can do something hacky to acheive this but it seems like a feature that would be desirable even if not implemented yet ( $authService->getAttributes(true) - where true might instruct authService to fetch from IdP )
I've been looking at the documentation for SP API reference but can't see anything that allows for this. I previously assumed that getAttributes did this but looking at my IdP/SPs in dev I can see that's not the case.
https://simplesamlphp.org/docs/1.8/simplesamlphp-sp-api
Can anyone tell me how I should be doing this, perhaps I'm not using the API correctly. Thanks
<?php // index.php
require_once('../simplesamlphp/lib/_autoload.php');
$authService = new SimpleSAML_Auth_Simple('default-sp');
//$authService->requireAuth(); // commented out
$attributes = $authService->getAttributes();
// render page....
I don't want to use requireAuth here because it is quite acceptable for the user to view the index page without having to login. If I use requireAuth it will force the user to login, right.
BUT, if I have already logged in using another SP (by the way, the other SP also authenticates against the same IdP as this SP does). If I load this page, it doesn't fetch the attributes from the IdP. I have to uncomment requireAuth THEN it will fetch the attributes. This is fine if the user has already logged into the IdP. But if not, and they haven't logged in, requireAuth will force them to. I don't want this. I only want to fetch attributes - if they exist, otherwise it's fine for now (no login required for this page).
Is it possible to get attributes for a current session from IdP, but if the user hasn't yet logged in - don't force them - can I do this? I'm sure I can do something hacky to acheive this but it seems like a feature that would be desirable even if not implemented yet ( $authService->getAttributes(true) - where true might instruct authService to fetch from IdP )
I've been looking at the documentation for SP API reference but can't see anything that allows for this. I previously assumed that getAttributes did this but looking at my IdP/SPs in dev I can see that's not the case.
https://simplesamlphp.org/docs/1.8/simplesamlphp-sp-api
Can anyone tell me how I should be doing this, perhaps I'm not using the API correctly. Thanks
Peter Schober
Oct 2, 2014, 7:49:38 AM10/2/14
to simple...@googlegroups.com
* Martyn Bissett <marty...@gmail.com> [2014-10-02 04:17]:
https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api#section_4_2
> I've been looking at the documentation for SP API reference but can't see
> anything that allows for this. I previously assumed that getAttributes did
> this but looking at my IdP/SPs in dev I can see that's not the case.
>
> https://simplesamlphp.org/docs/1.8/simplesamlphp-sp-api
I certainly hope you're not running SSP 1.8.
If you're not then why use the documentation for version 1.8?
It's not as if that wouldn't be obvious from both the URL itself and
the yellow warning box in the upper right hand corner of that page.
-peter
> Is it possible to get attributes for a current session from IdP, but if the
> user hasn't yet logged in - don't force them - can I do this?
Yes, set isPassive according to the documentation.
> user hasn't yet logged in - don't force them - can I do this?
https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api#section_4_2
> I've been looking at the documentation for SP API reference but can't see
> anything that allows for this. I previously assumed that getAttributes did
> this but looking at my IdP/SPs in dev I can see that's not the case.
>
> https://simplesamlphp.org/docs/1.8/simplesamlphp-sp-api
If you're not then why use the documentation for version 1.8?
It's not as if that wouldn't be obvious from both the URL itself and
the yellow warning box in the upper right hand corner of that page.
-peter
Martyn Bissett
Oct 2, 2014, 9:17:57 AM10/2/14
to simple...@googlegroups.com, peter....@univie.ac.at
*face palm* No I'm using the most recent version, I'd googled the method and in my haste didn't notice the version of the link it provided. Thanks for pointing out the obvious.
Great, I'll check that out. Thanks again.
Great, I'll check that out. Thanks again.
Message has been deleted
Message has been deleted
Martyn Bissett
Oct 3, 2014, 5:57:53 AM10/3/14
to simple...@googlegroups.com
Thanks. But I can't seem to avoid going into a redirect loop. See below, my code for the homepage (or any page so to get their logged status):
<?php
<?php
require_once('../simplesamlphp/lib/_autoload.php');
$authService = new SimpleSAML_Auth_Simple('default-sp');
$authService->requireAuth(array(
'isPassive' => true,
'ErrorURL' => 'http://local-ssosp1/', // home page
));
$attributes = $authService->getAttributes();
?><html>....
When the user is logged in this all works fine. But, when the user is not logged in and no session exists - is this treated as an error? In my case, it's no error. Just the user hasn't logged in yet. I don't want to re-direct, I just want to carry on. Anyway when it redirect it keeps coming back to this page and then ...redirecting again. Am I doing this all wrong?
I'd like each page to be able to check if the user is logged in at the IdP. I thought something like a behind the scenes request and response were exchanged, then the script would continue.
Thanks
'isPassive' => true,
'ErrorURL' => 'http://local-ssosp1/', // home page
));
$attributes = $authService->getAttributes();
?><html>....
When the user is logged in this all works fine. But, when the user is not logged in and no session exists - is this treated as an error? In my case, it's no error. Just the user hasn't logged in yet. I don't want to re-direct, I just want to carry on. Anyway when it redirect it keeps coming back to this page and then ...redirecting again. Am I doing this all wrong?
I'd like each page to be able to check if the user is logged in at the IdP. I thought something like a behind the scenes request and response were exchanged, then the script would continue.
Thanks
Martyn Bissett
Oct 6, 2014, 12:18:03 AM10/6/14
to simple...@googlegroups.com
OK, just encase anyone has the same problem here is my solution (not sure if it's ideal though, lots of redirects and at the moment the back button is broken, but it's the best I've come up with til now):
index.php (any page really that you want to have user attributes)
This page is loaded and first checks if the session exists using passive login:
<?php session_start();
index.php (any page really that you want to have user attributes)
This page is loaded and first checks if the session exists using passive login:
<?php session_start();
require_once('../simplesamlphp/lib/_autoload.php');
$authService = new SimpleSAML_Auth_Simple('default-sp');
if(! isset($_SESSION['auth_checked']) or $_SESSION['auth_checked'] == false) {
$authService->requireAuth(array(
'isPassive' => true,
'ErrorURL' => 'http://local-ssosp1/error.php',
));
}
$_SESSION['auth_checked'] = false;
));
}
$_SESSION['auth_checked'] = false;
$attributes = $authService->getAttributes();
?><html>...
In the event that the user is not logged in, the IdP returns a SAML error, which is handled by the error.php script:
<?php session_start();
require_once('../simplesamlphp/lib/_autoload.php');
$errorState = SimpleSAML_Auth_State::loadExceptionState();
$url = $errorState['SimpleSAML_Auth_Default.ReturnURL'];
$_SESSION['auth_checked'] = true; // by pass the authentication
header("location: $url");
I probably should check if($errorState[SimpleSAML_Auth_State::EXCEPTION_DATA] instanceof SimpleSAML_Error_NoPassive) but for now my error.php script just redirects the browser back to the page it were originally at.
Anyway, this does what it needs to do. But, in this basic form it has broken my back button so I need to handle that somehow. I guess, when the users attributes are loaded into session (as is done when they have been verified as logged in) this won't happen from then on.
Reply all
Reply to author
Forward
0 new messages