search

flipboxfactory / saml-idp

SAML Identity Provider (IdP) Plugin for Craft CMS
https://saml-idp.flipboxfactory.com
Other
4 stars 3 forks source link

Configurable RelayState #25

Closed thkus closed 3 years ago

thkus commented 3 years ago

Hi there, sorry for using this issue to ask a question but i couldn't quite figure it out: We are planning to use this plugin to act as an IdP and i'm wondering if there is a way to configure or set a RelayState on our end. I understand that this can also be configured within the external SP, in this special case it would be easier though to set it ourselfs. Maybe there is an event to hook into? Thanks a lot in advance!

dsmrt commented 3 years ago

:wave: @thkus

Great question!

My interpretation of the RelayState has derived and aligned from this text from the docs:

The RelayState token is an opaque reference to state information maintained at the service provider.

Found on this page :link:

That said, they later mention, the RelayState when discussing IdP Initialed SSO:

(If the convention for identifying a specific application resource at the SP is supported at the IdP and SP, the resource URL at the SP is also encoded into the form using a hidden form control named RelayState.)

Found on this page :link:

What does this mean? SAML protocol/spec is not the clearest and very confusing BUT I'd prefer the management of the RelayState to be controlled by the SP side.

However, this is possible using IdP Initiated Login Flow. You'll have to conform your RelayState value to match the way it's handled on the SP side. For example, most SPs base64 their RelayState value (which is usually a relative url). So you'd have to base64 it on your side. If you have a dashboard on the IdP side where user's are logged-in, you could provide IdP initiated SSO links to log them into a specific SP which also sends them to a specific page. Is this something you are considering?

After reviewing the code we don't have an event to hook into from the SP-Initiated side, but if this is something you need, we could possible add it as a feature. If this feature is needed, can you explain your use case?

thkus commented 3 years ago

Hi @dsmrt, thanks for your detailed answer. Indeed i also found myself puzzling with the documentation. 😉

However, this is possible using IdP Initiated Login Flow. You'll have to conform your RelayState value to match the way it's handled on the SP side. For example, most SPs base64 their RelayState value (which is usually a relative url). So you'd have to base64 it on your side. If you have a dashboard on the IdP side where user's are logged-in, you could provide IdP initiated SSO links to log them into a specific SP which also sends them to a specific page. Is this something you are considering?

Yes, the plan is to have and IdP initiated flow, where user's click on a link on our end and then get redirected / authenticated on the SP side.

If i understand correctly, this should already be possible then? Where would be the best place to add a RelayState to the Login Url like it's mentioned here? Edit: It might be me being stupid, but obviously i can just add it to the link myself, which i then place on the website, right?

dsmrt commented 3 years ago

Yep! this is already possible. You can simply format the url like the example says, like so, https://<your-idp hostname>/sso/login/request/<SP-UID>?RelayState=<the-path-you-want> (obviously replacing , , and with the values for your configuration). That url kicks off the sso process. Most likely, you'll have to base64 the RelayState path, like I've mentioned.

thkus commented 3 years ago

OK, great. It's working as expected! :-) Thanks!