search

24Slides / laravel-saml2

[Laravel 5.4+] An integration to add SSO to your service via SAML2 protocol based on OneLogin toolkit with support of multiple Identity Providers
MIT License
224 stars 69 forks source link

Redirect Loop after SSO #31

Open UNICodehORN opened 2 years ago

UNICodehORN commented 2 years ago

I configured my IDP and followed the instructions given in the Readme section.

When I call https://url-of-my-website/saml2/{uuid}/login I see the SSO page of my IDP. After successfully logging in I am ending up in a redirect loop: https://my-idp-sso-provider/saml2/idp/?SAMLRequest=&RelayState=https://url-of-my-website/saml2/{uuid}/login

For each redirect I see [2022-08-09 18:06:28] local.DEBUG: [Saml2] Tenant resolved {"uuid":"uuid","id":1,"key":"sso_key"} in my laravel log.

` Event::listen(SignedIn::class, function (SignedIn $event) {

        $messageId = $event->getAuth()->getLastMessageId();

        // your own code preventing reuse of a $messageId to stop replay attacks
        $samlUser = $event->getSaml2User();

        $userData = [
            'id' => $samlUser->getUserId(),
            'attributes' => $samlUser->getAttributes(),
            'assertion' => $samlUser->getRawSamlAssertion()
        ];

        // Just dump login works
        //dd($userData);

        $username = $userData["attributes"]["username"]; // find user by ID or attribute
        $user = User::where('name',$username) -> first();

        // Login a user.
        Auth::loginUsingId($user->id);
    });

`

From the Kernel ` protected $middlewareGroups = [ 'web' => [ \App\Http\Middleware\EncryptCookies::class, \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class, \Illuminate\Session\Middleware\StartSession::class, \Illuminate\View\Middleware\ShareErrorsFromSession::class, \App\Http\Middleware\VerifyCsrfToken::class, \Illuminate\Routing\Middleware\SubstituteBindings::class, ],

    'saml' => [
        \App\Http\Middleware\EncryptCookies::class,
        \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
        \Illuminate\Session\Middleware\StartSession::class,
    ],

    'api' => [
        // \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
        'throttle:api',
        \Illuminate\Routing\Middleware\SubstituteBindings::class,
    ],
];

`

From saml2.php 'routesMiddleware' => ['saml'],

UNICodehORN commented 2 years ago

Interesting thing I noticed, if I add ?returnTo=someUrl to the login URL I am redirect to that URL after the login and I am also logged in as the correct user.

No redirect loop in that case.

flpdev commented 1 year ago

Hello friends. I solved an problem like this in my project setting a --relayStateUrl on create tenant statement. Before a recognize this, on the azure test redirect are normal, but in my localhost enviroment a looping are started. looking the possible causes i found this field empty on database tenant register, so, put any url and looping are solved.

I hope this information help.

jamesratcliffe commented 1 year ago

In addition to the other 2 solutions, you can also set SAML2_LOGIN_URL in your environment or add a default for loginRoute in the config file. These would apply for all tenants that don't have a relay_state_url set.

For my case, @UNICodehORN's solution was the best because it's the only way to preserve the original URL that the user was trying to visit. I also set a URL in the config as a fallback.

danielrangelsa commented 1 month ago

Hello friends.. i have the same problem in Laravel 11.. only print "Tenant resolved" and i receive "No access" erro on AWS SSO