Open janhalen opened 9 months ago
nicolas-semaphor
commented
9 months ago Agreed, this should be fixable in the flow manager somehow. It will only occur upon first login, if the kombit user isn't already signed in, but It's still undesired behavior.
janhalen
commented
9 months ago Maybe this? https://goauthentik.io/docs/flow/context/#redirect-string
(I havent checked with the current flow, what the url is set to)
nicolas-semaphor
commented
9 months ago That sounds absolutely spot on, good find. Will check to see if can make an easy fix.
nicolas-semaphor
commented
5 months ago this may have been a bug. I just tested on a newer image with a home brewed RubySAML service provider. After being redirected to AK and signing in, I get send directly back to my simple Ruby app, without seing the my application ~apge~ page.
nicolas-semaphor
commented
5 months ago Although, this example uses the SAML Provider, and not the OIDC provider that might have caused the redirect to the My Applications page. I will test with the OIDC provider instead.
janhalen
commented
5 months ago this may have been a bug. I just tested on a newer image with a home brewed RubySAML service provider. After being redirected to AK and signing in, I get send directly back to my simple Ruby app, without seing the my application ~apge~ page.
nicolas-semaphor
commented
5 months ago Unfortunately not, for that we would need a SAML IdP mock servce. In this case I made a very simple SAML Service provider, which logged in using an Authentik SAML Provider. I'll gladly share though.
require 'onelogin/ruby-saml'
require 'sinatra'
enable :sessions
OneLogin::RubySaml::Logging.logger = Logger.new 'ruby-saml.log'
WEBrick::HTTPRequest.const_set("MAX_URI_LENGTH", 10240)
def saml_settings
idp_metadata_parser = OneLogin::RubySaml::IdpMetadataParser.new
validate_cert = true
settings = idp_metadata_parser.parse_remote(
"<saml_idp_metadata_url>",
validate_cert,
)
settings.assertion_consumer_service_url = "<host>/saml/acs"
settings.sp_entity_id = "<host>/saml/metadata"
return settings
end
get '/' do
if session[:nameid]
return '<p>Welcome <b>' + session[:nameid] + '</b>!</p>'
else
redirect '/saml/login'
end
end
get '/saml/metadata' do
meta = OneLogin::RubySaml::Metadata.new
content_type 'text/xml'
meta.generate saml_settings
end
get '/saml/login' do
request = OneLogin::RubySaml::Authrequest.new
redir_url = request.create saml_settings
redirect redir_url
end
get '/test/authnrequest' do
request = OneLogin::RubySaml::Authrequest.new
content_type 'text/xml'
return request.create_authentication_xml_doc(saml_settings).to_s
end
post '/saml/acs' do
response = OneLogin::RubySaml::Response.new(params[:SAMLResponse], :settings => saml_settings)
if response.is_valid?
session[:nameid] = response.nameid
session[:attributes] = response.attributes
puts "\nAttributes in Assertion:"
session[:attributes].each do
|key, value| puts "#{key} => '#{value[0]}'"
end
puts ""
# Login.
redirect '/'
else
authorize_failure
end
end
Although, this example uses the SAML Provider, and not the OIDC provider that might have caused the redirect to the My Applications page. I will test with the OIDC provider instead.
Has this been tested and verified as a misconfiguration in the flow? Does it need more work?
janhalen
commented
1 month ago Need to test again with newest Authentik release build
When you sign in to e.g. Zulip via the zulip test url, you end up in the "My applications" landing page inside Authentik.
The expected behaviour would be to end up directly in the app you tried to acces via the url. The choice between the different enrolled apps is just confusing to a simple user just wanting SSO to Zulip or Nextcloud.