search

flipboxfactory / saml-sp

SAML Service Provider (SP) Plugin for Craft CMS
https://saml-sp.flipboxfactory.com/
Other
19 stars 5 forks source link

Multi-Site SSO #112

Closed masonry47 closed 3 years ago

masonry47 commented 3 years ago

Hi there!

We are running into issues with our multisite setup. We are using multisite for localization, so there are 5 different sites with a URL structures like https://siteurl.com (default site), https://siteurl.com/es/, https://siteurl.com/fr/, etc..

So for example, if a content administrator is in Spain, a cookie is set based on IP to serve them the https://siteurl.com/es/ version of the site. When they then go to https://siteurl.com/craftadminurl and then click on the SSO login button, they are simply redirected back to https://siteurl.com/es/ and dont ever get to the Microsoft login screen (we are using Azure AD). If the user manually sets their cookie to the default version of the site with the language switcher on the front end of the site, then uses the SSO login button, all is fine.

I know that this likely is connected to #89 and #72 but we still cannot quite figure out the proper setup. Any thoughts on this?

We are using 2.6.4 of the plugin and Craft 3.5.18

Thanks so much!

dsmrt commented 3 years ago

Since the domain is all the same, you are probably ok with using one SAML configuration. When Configuring the SP (My Provider/the Craft instance), you can set it to the default site.

Couple things:

  1. Is SSO logging in frontend users or backend (craft cp) users?
  2. Since the users are redirected automatically based on ip, it should redirect them appropriately once they are logged in right?
masonry47 commented 3 years ago

Thanks for the quick response. We think we came up with a solution. Definitely no issue with the plugin but just for future reference, how the cookie works in our setup related to languages is, if you have a cookie set to specific language, it will force all urls with a redirect to that language. So if a user has a cookie set to show the spanish version of the site, and then went directly to https://siteurl.com/about, it would automatically redirect to the spanish version of that page like https://siteurl.com/es/about and if that URL doest exist, it just sends you to the home page of the language that the cookie is set to like https://siteurl.com/es.

So since international content admins would likely have a cookie set to one of the localized versions of the site, when they hit the SSL login button, they are hitting a URL that would look something like this:

/sso/login/request/5423432-3423-432-42342-432?RelayState=https://siteurl.com/adminpath

so it is being immediately redirected to something like https://siteurl.com/es/sso/login/request/5423432-3423-432-42342-432?RelayState=https://siteurl.com/adminpath which doesn't exist so its ending up at the home page o of that language site https://siteurl.com/es/

So we simply just excluded the forced redirect from any urls that start with SSO and that did it.

Sorry long explanation but just in case someone else experiences the same thing down the line, this may help.

Thanks!

dsmrt commented 3 years ago

Glad you found a solution. Thanks for sharing! I do think this will be helpful for others.