Separated SPs in realms. How to identify the realm of an already authenticated user.

[brpassos]

To authenticate my users I created a new condition. They are grouped by realms. In the users table there is a column called realm_id that takes the id of the realms table.

In SP I make the request with the realm and put it in $credentials in the IDP. Then I add realm_id to $credentials and authenticate with Auth::guard()->attempt($credentials)

It works perfectly until that part. When an SP is part of a realm it authenticates with the user of that specific realm.

The problem happens when the user is already authenticated to the IDP. When I make the Request for the IDP as realm included if the user is already authenticated then it returns the authenticated user even if the realm is not his.

In this case I need to verify that it belongs to the SP realm, otherwise I have to log out of it and send it to the login screen to be authenticated with the correct realm.

Where could I get the realm value from the request and check if the user who is already authenticated belongs to the realm, logout and redirect to login?

[upwebdesign]

@brpassos realms? Do you have a RPG going over there? It sounds like you may need some additional middleware to check if the user is authenticated and that they belong to the realm they are attempting to access. This package is already listening for the Authenticated Laravel event. Maybe you can create your own listener for that event as well?

[brpassos]

@upwebdesign it's not an rpg, I'm following the keycloak idea.

https://www.keycloak.org/getting-started/getting-started-docker

Thanks a lot for the help. I implemented a listen based on SamlAuthenticated and registered it in the samlidp.php config. So I can check if the authenticated user is from the same realm and if not I logout and redirect to login.