Closed rrsiegfried closed 3 years ago
mfprimo
commented
3 years ago It is very strange, since RelayState is set by SimpleSAMLphp component and this plugin has not effect on it.
Have you try to authenticate from the SimpleSAMLphp test page, usually
https://<your-site>/simplesaml/module.php/core/authenticate.php
using SAML Tracer?
The return URL is handled by Moodle.
rrsiegfried
commented
3 years ago We have been using this plugin up until now: https://moodle.org/plugins/auth_saml - which is also SimpleSAMLphp based. We did go back and double check that we could successfully auth from the SSP test page.
mfprimo
commented
3 years ago I couldn't replicate the problem on our systems; if you want to send me a private email to staff@aulaweb.unige.it we could compare our configs in order to find the root cause.
I confirm the return URL ($SESSION->wantsurl) is handled by Moodle: if, having no active session, you try to open a resource inside a course (e.g. a PDF file) using SAML Tracer you can clearly see that:
mfprimo
commented
3 years ago Change SSP store.type from phpsession to memcached solves the problem.
Describe the bug Regardless of using dual login feature or not, when authenticating successfully via our SSO IdP, we get caught in an infinite redirect loop. Upon closer investigation and SAML Tracer review, it appears that the RelayState URL is simply https:///login/index.php?saml=on so it keeps trying to create a new session that already exists (verified by SAML logs on the IdP end).
Looking at auth.php it is curious that there is no use of $SESSION->wantsurl which other auth plugins make use of. At Line 111 in the "loginpage_idp_list" function the $url var is set to '?saml=on'. Not sure if this is actually contributing or not as I did try editing this and it just broke the process.
To Reproduce Steps to reproduce the behavior: Use a SAML Tracer plugin and pull it up. Then log in to your Moodle instance using the SSO login option and make note of first POST in SAML Tracer to verify RelayState URL.