New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make SP URLs customizable via configuration #1815
Comments
I smell a lot of work and very little gain. |
It's not an easy task because we would indeed need to find a way to override routes, but I think it's doable, and @he247 offered help with it, which is why I asked him to open a ticket so that we could discuss the proper way to do it 😄 |
As a first start I tried this: I don't have enough insight about this project. What would be your preferred approach to handle the override? |
I have recently seen that there is already an override for the logout URL:
Wouldn't it make sense to do something similar for the acs? |
Hello guys, I found this issue while trying to customize acs and slo urls. We use SSP as a service provider in a multitenant application, where IDPs are out of our control. In our scenario, having full control of the urls is important for maintainability, as any future change would require coordinating with several different organizations. Solving the routing issue at the Apache level with an alias or rewrite seems a good compromise to keep the code change small. |
Hi @MatteoBiagini, |
I get an empty slack window when trying to view the context link above. Does the desired solution come down to just the one line?
I had a bit of a dig to see if it might trip up other places which might want to validate. There is some checking in modules/saml/src/IdP/SAML2.php/getAssertionConsumerService(). I am mostly looking at the simplesamlphp-2.1 branch. |
Hi @monkeyiq,
I think the Assertion is only to verify that the URL is not the same as any remote SP, that shouldn't make a problem, if I'm not mistaken. simplesamlphp/modules/saml/src/IdP/SAML2.php Line 240 in 3fbfd11
For the settings in config/authsources.php I planned something like this. (just as an example) Update: using $baseURL = empty(getenv('SERVER_URL')) ? 'https://devel.LocalServerName.de' : getenv('SERVER_URL');
$AssertionConsumerServiceURL = $baseURL.'/LocalServiceName/sp/acs';
[
...
'SingleLogoutServiceBinding' => ['urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'],
'SingleLogoutServiceLocation' => $baseURL.'/LocalServiceName/sp/logout',
'AssertionConsumerService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => $AssertionConsumerServiceURL,
'index' => 0,
],
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
'Location' => $AssertionConsumerServiceURL,
'index' => 1,
],
],
'AssertionConsumerServiceURL' => $AssertionConsumerServiceURL,
...
] |
Please don't call the variable Also, what you are doing here should already be possible without any changes to SimpleSAMLphp.. You should be using one of |
What we are seeing, when using
Extract from the configuration: <?php
// config/authsources.php
'ourServiceProvider' => [
'saml:SP',
'entityID' => 'https://our-service-provider.com/saml/sp/metadata',
'acs.Bindings' => [
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
],
'AssertionConsumerService' => [
[
'index' => 0,
'isDefault' => TRUE,
'Location' => 'https://our-service-provider.com/saml/sp/acs',
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
],
[
'index' => 1,
'Location' => 'https://our-service-provider.com/saml/sp/acs',
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
],
],
'...' => [],
]; Extract from the metadata: <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://our-service-provider.com/saml/sp/acs" index="0"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://our-service-provider.com/saml/sp/acs" index="1"/> With the SP-initiated flow, this is the authn message we see: <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_e67832df9fdc81b9c18dac61871cbcdb2120303926"
Version="2.0"
IssueInstant="2024-02-20T21:42:51Z"
Destination="https://identity-provider.com/auth/realms/Example-Realm/protocol/saml"
AssertionConsumerServiceURL="https://our-service-provider.com/saml/module.php/saml/sp/saml2-acs.php/ourServiceProvider"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>
<saml:Issuer>https://our-service-provider.com/saml/sp/metadata</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
AllowCreate="true"
/>
</samlp:AuthnRequest> Here I would expect the "AssertionConsumerServiceURL" attribute filled with the custom URL provided in the configuration for the corresponding ProtocolBinding |
Yes @MatteoBiagini, that's a bug.. |
It appears the https://github.com/simplesamlphp/simplesamlphp/blob/master/modules/saml/src/Auth/Source/SP.php#L473 |
@tvdijen , we would add an alias in the Apache virtual host configuration. |
@tvdijen thank you for pointing that out Actually yes, these settings were taken into account for the metadata that I sent to the IdP but the generated Link in the authnrequest message was like @MatteoBiagini described. This induced an error from the IdP, as the ACS link in my metadata was not the same as in the authnrequest message. I also used Apache RewriteRule for the custom links, just for reference: RewriteRule "^sp/metadata$" "module.php/saml/sp/metadata/LocalServiceName" [L]
RewriteRule "^sp/(logout|acs)$" "module.php/saml/sp/saml2-$1.php/LocalServiceName" [L]
RewriteRule "^sp/login$" "module.php/saml/sp/login/LocalServiceName" [L] |
@he247 As a workaround, you could try signing your AuthnRequests. Usually IDPs will accept it then, even if it doesn't match the ACS urls in the metadata. |
Description
I already set a custom URL for those which presumably would be seen by users of the service in the authsources.php:
'SingleLogoutServiceBinding' => ['urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'], 'SingleLogoutServiceLocation' => $entityID.'/LocalServiceName/sp/logout', 'AssertionConsumerService' => [ [ 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 'Location' => $entityID.'/LocalServiceName/sp/acs', 'index' => 0, ], [ 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact', 'Location' => $entityID.'/LocalServiceName/sp/acs', 'index' => 1, ], ],
So instead of e.g. $entityID.'/baseurlpath/saml/sp/saml2-acs.php' I would like to be able to set $entityID.'/baseurlpath/sp/acs'
Possible solution
Make URLs customizable via config-files instead of hardcoding URLs like in https://github.com/simplesamlphp/simplesamlphp/blob/master/modules/saml/src/Auth/Source/SP.php#L447
Possible alternative
I could set up some complex rewrite rules in my Apache.
As reference: obsolete/archived Slack link https://simplesamlphp.slack.com/archives/CU5E4P8PK/p1686150989557749?thread_ts=1686146005.524799
@jaimeperez
The text was updated successfully, but these errors were encountered: