Force re-login how?
1,398 views
Skip to first unread message
Ronnie Jespersen
May 8, 2012, 3:14:54 AM5/8/12
to simple...@googlegroups.com
Hey guys.
So in my simplesamlphp I have several login methods. 1. method is on one domain and 4 is on another.
Now if im locked into one method I am automatically logged in to every other on that domain SSO and thats perfect.
But is there someway I can demand a re-login if you access one login method on the same domain?
/Ronnie
So in my simplesamlphp I have several login methods. 1. method is on one domain and 4 is on another.
Now if im locked into one method I am automatically logged in to every other on that domain SSO and thats perfect.
But is there someway I can demand a re-login if you access one login method on the same domain?
/Ronnie
Steve Moitozo
May 8, 2012, 7:35:14 AM5/8/12
to simple...@googlegroups.com
On May 8, 2012, at 3:14 AM, Ronnie Jespersen wrote:
But is there someway I can demand a re-login if you access one login method on the same domain?
See "ForceAuthn" on http://simplesamlphp.org/docs/1.9/simplesamlphp-reference-sp-remote
Ronnie Jespersen
May 8, 2012, 7:57:41 AM5/8/12
to simple...@googlegroups.com
Perfect. Thats half-way what I want... Lets say i have 6 login methods on the same domain. Is there any way can force login when you switch between some of them? 3 is in one group and the other 3 in another group... switching between the groups would force login but not in the groups... Hope I make sense :)
Steve Moitozo II
May 8, 2012, 9:28:17 AM5/8/12
to simple...@googlegroups.com
What do you mean by this?
Ronnie Jespersen
May 9, 2012, 3:56:45 AM5/9/12
to simple...@googlegroups.com
In my simplesaml box I have several log-in methods to validate a user. If they are all located on a domain lets test.com - then when you are logged in by one of the login methods you are logged in on all of them (SSO). Thats great but I need to force login if a user switched to another application that requires a login, on the same domain, but where the login-method is in a "group" of login methods where you need to re-validate.
Its hard to explain.
I know I can fix the issues by having a new domain.
Lets say on domain1 test.com we have login-method 1,2 and 3. And on domain2 test2.com we have login-method 4,5 and 6. Now if I login with number 1 I am validated with all login method 1,2 and 3 due to the SSO. But if I switch to a login method 4,5 or 6 im not due to the fact that there is no session cookie on that domain yet.
I just wanted to know if im able to do the same with only one domain?
Olav Morken
May 9, 2012, 4:46:16 AM5/9/12
to simple...@googlegroups.com
authentication source. Take a look at the reauthenticate()-function in
lib/SimpleSAML/Auth/Source.php. By overriding that function in your own
authentication source, you can decide whether to require new
authentication when receiving an authentication request. You can also
force the user to log out of the existing sessions in that case.
Best regards,
Olav Morken
UNINETT / Feide
David Martínez Borque
May 9, 2012, 5:54:11 AM5/9/12
to simple...@googlegroups.com
You are probably right and I should address another forum, but maybe you can answer this one question:
Do I have to define an SP for each one of the cgis in this application in order to authenticate and return to the same cgi?
For example:
Let's have two cgis in the same server: https://host1.org/cgi-bin/a.pl and https://host1.org/cgi-bin/b.pl
The user tries to access https://host1.org/cgi-bin/b.pl, and is redirected to the IdP. After authenticating he is redirected to the value set at AssertionConsumerService in the definition of the remote SP. Which might be https://host1.org/cgi-bin/a.pl or https://host1.org/cgi-bin/b.pl, but not both of them. I have tried to set AssertionConsumerService as an array with the urls of all the scripts, but the user is directed always to the value set in the first place.
As I see it, the only possibility SSP offers, is to define each script as a different SP, but this is not a very good solution for an application with lots of cgis.
This is not specific of Perl. Is this the only way? Is there another possibility?
Thanks!
-----Mensaje original-----
De: simple...@googlegroups.com [mailto:simple...@googlegroups.com] En nombre de Olav Morken
Enviado el: miércoles, 09 de mayo de 2012 10:46
Para: simple...@googlegroups.com
Asunto: Re: Force re-login how?
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To post to this group, send email to simple...@googlegroups.com.
To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
Do I have to define an SP for each one of the cgis in this application in order to authenticate and return to the same cgi?
For example:
Let's have two cgis in the same server: https://host1.org/cgi-bin/a.pl and https://host1.org/cgi-bin/b.pl
The user tries to access https://host1.org/cgi-bin/b.pl, and is redirected to the IdP. After authenticating he is redirected to the value set at AssertionConsumerService in the definition of the remote SP. Which might be https://host1.org/cgi-bin/a.pl or https://host1.org/cgi-bin/b.pl, but not both of them. I have tried to set AssertionConsumerService as an array with the urls of all the scripts, but the user is directed always to the value set in the first place.
As I see it, the only possibility SSP offers, is to define each script as a different SP, but this is not a very good solution for an application with lots of cgis.
This is not specific of Perl. Is this the only way? Is there another possibility?
Thanks!
-----Mensaje original-----
De: simple...@googlegroups.com [mailto:simple...@googlegroups.com] En nombre de Olav Morken
Enviado el: miércoles, 09 de mayo de 2012 10:46
Para: simple...@googlegroups.com
Asunto: Re: Force re-login how?
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To post to this group, send email to simple...@googlegroups.com.
To unsubscribe from this group, send email to simplesamlph...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
Olav Morken
May 9, 2012, 6:27:05 AM5/9/12
to simple...@googlegroups.com
On Wed, May 09, 2012 at 11:54:11 +0200, David Mart�nez Borque wrote:
> You are probably right and I should address another forum, but maybe you can answer this one question:
>
> Do I have to define an SP for each one of the cgis in this application in order to authenticate and return to the same cgi?
That depends on the SP code.
> You are probably right and I should address another forum, but maybe you can answer this one question:
>
> Do I have to define an SP for each one of the cgis in this application in order to authenticate and return to the same cgi?
> For example:
>
> Let's have two cgis in the same server: https://host1.org/cgi-bin/a.pl and https://host1.org/cgi-bin/b.pl
>
> The user tries to access https://host1.org/cgi-bin/b.pl, and is redirected to the IdP. After authenticating he is redirected to the value set at AssertionConsumerService in the definition of the remote SP. Which might be https://host1.org/cgi-bin/a.pl or https://host1.org/cgi-bin/b.pl, but not both of them. I have tried to set AssertionConsumerService as an array with the urls of all the scripts, but the user is directed always to the value set in the first place.
>
> As I see it, the only possibility SSP offers, is to define each script as a different SP, but this is not a very good solution for an application with lots of cgis.
want to use in the authentication request. However, see below for
generic comments about this.
> This is not specific of Perl. Is this the only way? Is there another possibility?
perspective should be registered as one service provider at the IdP.
Authentication responses are sent to the SPs ACS URL (which does not
need to be related to any other URLs at the service). The ACS URL can
then create a session for the user that can be used later.
However, all of this really depends on the SP implementation. I do not
know is the SP implementation you have found contains any session
handling functionality, or if you are expected to build that yourself.
Therefore it is better to ask someone familiar with the library you are
using.
(Another option that I do not know if you have considered is to
outsource authentication to your webserver. If you are using Apache,
there are multiple SAML 2.0 SP implementations for it.)
Ronnie Jespersen
May 9, 2012, 8:11:27 AM5/9/12
to simple...@googlegroups.com
It is possible, but you are going to have to implement your own authentication source. Take a look at the reauthenticate()-function in lib/SimpleSAML/Auth/Source.php. By overriding that function in your own authentication source, you can decide whether to require new authentication when receiving an authentication request. You can also force the user to log out of the existing sessions in that case.
Best regards,
Olav Morken
UNINETT / Feide
Hey Olav.
Im not able to find the reauthenticate function you mention in lib/SimpleSAML/Auth/Source.php. Im using simplesamlphp 1.8.2.
Olav Morken
May 10, 2012, 3:28:49 AM5/10/12
to simple...@googlegroups.com
released before too much time has passed.
Ronnie Jespersen
May 10, 2012, 3:59:11 AM5/10/12
to simple...@googlegroups.com
Ah, sorry. It isn't in 1.8. It will be in 1.9, which hopefully will be
released before too much time has passed.
Best regards,
Olav Morken
UNINETT / Feide
Ah that explains it :) thanks.
Christian Goebel
Mar 31, 2021, 6:42:18 AM3/31/21
to SimpleSAMLphp
Hi,
do you have found a solution for this case?
Reply all
Reply to author
Forward
0 new messages