New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow IdP authprocs to be configured in authsources.php #1995
base: simplesamlphp-2.2
Are you sure you want to change the base?
Allow IdP authprocs to be configured in authsources.php #1995
Conversation
@@ -48,6 +48,8 @@ public function __construct(array $info, array $config) | |||
throw new Exception( | |||
'Invalid <username>:<password> for authentication source ' . $this->authId . ': ' . $userpass | |||
); | |||
} elseif ($userpass === 'authproc') { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is hackish and I don't agree with it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The "hackishness" of this particular part of this PR is fixed in #2003
As per Slack discussion, I find this a hackish solution for an issue that I don't understand. |
$pc = new Auth\ProcessingChain($idpMetadata, $spMetadata, 'idp'); | ||
// Add in authprocs defined in authsources.php | ||
$asArray = Configuration::getConfig('authsources.php')->getArray($idp->authSource->getAuthSource()->getAuthId()); | ||
$asAuthproc = array_key_exists('authproc', $asArray) ? ['authproc' => $asArray['authproc']] : null; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So my IdP's authsource is an SP. Won't this change result in the authsource authprocs running twice? once when the SP authsource is used for login, and a second time when run inside of the idp. That would be a big surprise to people, especially since not all filters can be run in both places.
A second reason doing this "somewhere else" may be the desired location is that the IdP class is just one way of integrating with apps. There is an OIDC module, a casserver module and adfs module. One challenge in enhancing only the SAML IdP side is when people go to use the other modules they get a different behavior. e.g. you add an OIDC app and now the authproc
filters configured this new way don't run, even though the authsource is the same.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The second point I understand and agree with. It must apply to all backends, not just SAML - I hadn't considered ADFS or OIDC. Thanks for the feedback.
WRT the first point, I think I understand what you mean - the case where we're bridging (https://simplesamlphp.org/docs/stable/simplesamlphp-advancedfeatures.html#bridging-between-protocols)? In that case we're running as both an SP and an IdP, and the "authproc" could be run on the SP side then re-run on the IdP side. Perhaps adding an extra key authproc_idp
might be acceptable to avoid that clash but still allow IdP authprocs in authsources.php
?
This issue arises when using A sensible approach to authprocs in configuration here would be to have a set of per-authentication plugin ( From a configuration perspective, the cleanest way get per-authsource authprocs is to add support for IdP authprocs in Like I said, I'm fine with reworking the technical aspects. I accept @pradtke's feedback that it's implemented in the wrong place, causing the two issues he identified. Hence, the current code in the PR isn't mergeable. However, the problem definitely exists, and the configuration aspect of the proposed PR I believe makes It's far tidier configuration wise to store global authprocs in a global place ( So, I'm happy to put the time into reworking it. The most important thing to me at the moment is that the project is open to the concept I'm presenting and is open reviewing and potentially merging the change once it's technically up to scratch. |
I've found a variety of situations where I want to run Maybe a path forward is a generalized way of running authproc filters as part of the authentication? So instead of the
I'm unsure how feasible it is, where the code should live, or what sort of odd behaviors we could run into (e.g. does multiauth run both its own filters and that of the target auth source; do filters run on reauthentication, etc). |
Yeah, I saw that a few days ago (https://github.com/cirrusidentity/simplesamlphp-module-authoauth2/blob/924636059d3359f5fa8e07d19c362ce109a2236c/src/Auth/Source/OAuth2.php#L297). It's one of the modules that's in our When I read that code I thought "that would be better in the core SSphp", and you'd put it there because of the lack of support for IdP per-authsource authprocs. That code actually convinced me the problem existed (so, partly inspired me to write this PR) - it was obvious it wasn't a problem unique to that authsource, but implemented in In the I like your suggestion of moving authprocs all together to make them more symmetrical between the IdP and SP cases. As you say, there's no real justification for the SP authsource being more special than an IdP one. Looking forward to @tvdijen's feedback on that idea. |
3e290bd
to
62005d7
Compare
9553384
to
b17c854
Compare
Currently, for SPs you can configure authprocs in metadata,
config.php
orauthsources.php
. However, for an IdP you can only configure in metadata orconfig.php
. This PR addresses this, such that regardless of whether you're configuring an IdP or an SP, you can configure in all three places.The main driver for the desire for
authsources.php
to be supported as an IdP authproc configuration source is when usingmultiauth
with multiple different authentication sources. When using multiauth, it would be really handy to be able to apply different authprocs based on which authentication mechanism was delegated to (as defined inauthsources.php
).saml20-sp-remote
, as SP's are likely used by multiple underlying authentication mechanisms, which likely return quite different raw attributes (hence the need for authprocs to make it more transparent to the SP which underlying authenication mechanism was used).config.php
. Yes, you could do this with pre-conditional filters, but it is nothing like as clean, configuration wise (and more prone to error) as just adding support forauthsources.php
authprocs for IdP.