how to get the incoming spentityid on the idp side

[Alexander I]

hello

im trying to display different themes for different SPs so when each user visits the IDP in order to login can see their company's branding

i have created a base theme that overrides the default simpleSAMLphp theme on the IDP side under
modules/[moduleName]/themes/[vendor]/default/includes/header.php
modules/[moduleName]/themes/[vendor]/default/includes/footer.php

and now what im trying to do is get the incoming the spentityid while in header.php and switch based on that value including different css files

i have tried using SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataCurrent()
but im getting this error
Fatal error: Exception thrown without a stack frame in Unknown on line 0

am i looking at it from the wrong point of view ?

alex

[Tom Scavo]

On Thu, Apr 3, 2014 at 6:00 AM, Alexander I <websur...@gmail.com> wrote:
>
> im trying to display different themes for different SPs so when each user
> visits the IDP in order to login can see their company's branding
>

> am i looking at it from the wrong point of view ?

I would say yes, you need to think about it some more. The MDUI
elements in metadata (https://spaces.internet2.edu/x/2YGKAQ) were
invented for this purpose, but the MDUI elements in SP metadata should
be used on the consent interface, not the login page. The login page
should never change since that's one of the primary benefits of
federated login, that is, a single login page that the user comes to
trust. This is an anti-phishing strategy (not the *best* anti-phishing
strategy, but a strategy nonetheless).

SimpleSAMLphp supports user consent. Perhaps you should switch your
attention to that feature instead?

Hope this helps,

Tom

[Alexander]

i see your point and i couldnt agree more but it is client requirement that the login page has the same branding as the company's website

> The MDUI elements in metadata (https://spaces.internet2.edu/x/2YGKAQ) were
> invented for this purpose, but the MDUI elements in SP metadata should
> be used on the consent interface, not the login page.

so the 'standard' way would be to use MDUI elements but not for the login page ?

> SimpleSAMLphp supports user consent.

can you elaborate on the above phrase please ?

i actually have implemented a similar solution to what is described here
https://groups.google.com/forum/#!topic/simplesamlphp/pgwdu56GMIk

but it breaks in the event of a login error since the since all the $_GET params disappear from the url

first the url looks like this
http://dev_idp/simplesaml/module.php/core/loginuserpass.php?AuthState=_112f64cb3dc84538d89570c779f4ea3e97e01caba0[...]

if the user submits the form with wrong credentials the url becomes
http://dev_idp.aimsineskis.dev.ypsilon.net/simplesaml/module.php/core/loginuserpass.php?

a 'hacky' way would be to store it in a cookie or session variable i guess but i would prefer taking a more 'standard' approach

alex

--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.

[Tom Scavo]

On Thu, Apr 3, 2014 at 7:08 AM, Alexander <websur...@gmail.com> wrote:
> i see your point and i couldnt agree more but it is client requirement that
> the login page has the same branding as the company's website

It's not my place to tell you what to do but it's your reputation
that's on the line here. You are (or will be) compromising the
security of your client's users.

>> The MDUI elements in metadata (https://spaces.internet2.edu/x/2YGKAQ) were
>> invented for this purpose, but the MDUI elements in SP metadata should
>> be used on the consent interface, not the login page.
>
> so the 'standard' way would be to use MDUI elements but not for the login
> page ?

I don't know how the IdP in this case gets SP metadata but a typical
scenario is a Federation of IdPs and SPs, each with MDUI elements in
metadata. The IdPs consume SP metadata and therefore have ready access
to the MDUI elements. This is how the Shibboleth IdP works, for
example.

>> SimpleSAMLphp supports user consent.
> can you elaborate on the above phrase please ?
>
> i actually have implemented a similar solution to what is described here
> https://groups.google.com/forum/#!topic/simplesamlphp/pgwdu56GMIk

Oh dear, I see I weighed in on that thread two years ago. My bad, I
should have confirmed Dick Visser's observations 100%. I certainly
agree with him now. His comments are right on.

> i would prefer taking a more 'standard' approach

Well, I already told you what that is, I don't know what else to say.
Maybe someone else has a different opinion, I don't know.

Tom

[Alexander]

MDUI it is then :)

have fun and stay cool !

alex

Tom