Allow IdP authprocs to be configured in authsources.php #1995
Conversation
| @@ -48,6 +48,8 @@ public function __construct(array $info, array $config) | |||
| throw new Exception( | |||
| 'Invalid <username>:<password> for authentication source ' . $this->authId . ': ' . $userpass | |||
| ); | |||
| } elseif ($userpass === 'authproc') { | |||
There was a problem hiding this comment.
This is hackish and I don't agree with it
There was a problem hiding this comment.
The "hackishness" of this particular part of this PR is fixed in #2003
|
As per Slack discussion, I find this a hackish solution for an issue that I don't understand. |
| $pc = new Auth\ProcessingChain($idpMetadata, $spMetadata, 'idp'); | ||
| // Add in authprocs defined in authsources.php | ||
| $asArray = Configuration::getConfig('authsources.php')->getArray($idp->authSource->getAuthSource()->getAuthId()); | ||
| $asAuthproc = array_key_exists('authproc', $asArray) ? ['authproc' => $asArray['authproc']] : null; |
There was a problem hiding this comment.
So my IdP's authsource is an SP. Won't this change result in the authsource authprocs running twice? once when the SP authsource is used for login, and a second time when run inside of the idp. That would be a big surprise to people, especially since not all filters can be run in both places.
A second reason doing this "somewhere else" may be the desired location is that the IdP class is just one way of integrating with apps. There is an OIDC module, a casserver module and adfs module. One challenge in enhancing only the SAML IdP side is when people go to use the other modules they get a different behavior. e.g. you add an OIDC app and now the authproc filters configured this new way don't run, even though the authsource is the same.
There was a problem hiding this comment.
The second point I understand and agree with. It must apply to all backends, not just SAML - I hadn't considered ADFS or OIDC. Thanks for the feedback.
WRT the first point, I think I understand what you mean - the case where we're bridging (https://simplesamlphp.org/docs/stable/simplesamlphp-advancedfeatures.html#bridging-between-protocols)? In that case we're running as both an SP and an IdP, and the "authproc" could be run on the SP side then re-run on the IdP side. Perhaps adding an extra key authproc_idp might be acceptable to avoid that clash but still allow IdP authprocs in authsources.php?
This issue arises when using A sensible approach to authprocs in configuration here would be to have a set of per-authentication plugin ( From a configuration perspective, the cleanest way get per-authsource authprocs is to add support for IdP authprocs in Like I said, I'm fine with reworking the technical aspects. I accept @pradtke's feedback that it's implemented in the wrong place, causing the two issues he identified. Hence, the current code in the PR isn't mergeable. However, the problem definitely exists, and the configuration aspect of the proposed PR I believe makes It's far tidier configuration wise to store global authprocs in a global place ( So, I'm happy to put the time into reworking it. The most important thing to me at the moment is that the project is open to the concept I'm presenting and is open reviewing and potentially merging the change once it's technically up to scratch. |
|
I've found a variety of situations where I want to run Maybe a path forward is a generalized way of running authproc filters as part of the authentication? So instead of the
I'm unsure how feasible it is, where the code should live, or what sort of odd behaviors we could run into (e.g. does multiauth run both its own filters and that of the target auth source; do filters run on reauthentication, etc). |
Yeah, I saw that a few days ago (https://github.com/cirrusidentity/simplesamlphp-module-authoauth2/blob/924636059d3359f5fa8e07d19c362ce109a2236c/src/Auth/Source/OAuth2.php#L297). It's one of the modules that's in our When I read that code I thought "that would be better in the core SSphp", and you'd put it there because of the lack of support for IdP per-authsource authprocs. That code actually convinced me the problem existed (so, partly inspired me to write this PR) - it was obvious it wasn't a problem unique to that authsource, but implemented in In the I like your suggestion of moving authprocs all together to make them more symmetrical between the IdP and SP cases. As you say, there's no real justification for the SP authsource being more special than an IdP one. Looking forward to @tvdijen's feedback on that idea. |
tvdijen
force-pushed
the
simplesamlphp-2.2
branch
from
3e290bd
to
62005d7
Compare
tvdijen
force-pushed
the
simplesamlphp-2.2
branch
from
9553384
to
b17c854
Compare
Currently, for SPs you can configure authprocs in metadata,
config.phporauthsources.php. However, for an IdP you can only configure in metadata orconfig.php. This PR addresses this, such that regardless of whether you're configuring an IdP or an SP, you can configure in all three places.The main driver for the desire for
authsources.phpto be supported as an IdP authproc configuration source is when usingmultiauthwith multiple different authentication sources. When using multiauth, it would be really handy to be able to apply different authprocs based on which authentication mechanism was delegated to (as defined inauthsources.php).saml20-sp-remote, as SP's are likely used by multiple underlying authentication mechanisms, which likely return quite different raw attributes (hence the need for authprocs to make it more transparent to the SP which underlying authenication mechanism was used).config.php. Yes, you could do this with pre-conditional filters, but it is nothing like as clean, configuration wise (and more prone to error) as just adding support forauthsources.phpauthprocs for IdP.