Closed ChMat closed 7 years ago
That's interesting idea, and I like it, but I'm not sure if all users of the bundle will take it that way. Anyway, you have user_creator
configuration option in the security firewall to provide you own logic.
https://github.com/lightSAML/SpBundle/blob/master/src/LightSaml/SpBundle/DependencyInjection/Security/Factory/LightSamlSpFactory.php#L29
Don't have that documented in http://www.lightsaml.com/SP-Bundle/Configuration/ Should be added.
Thanks
Hi @ChMat, I am having similar issue. Let me try your solution.
@tmilos , as I mentioned in other issue, setting user_creator
as null keep looping the system in SP and IDP.
Hi,
I am working on the integration of lightSAMLSpBundle for some applications in our company. We have set things up so as to use only one identity provider.
If you want to filter out some users at the time of authentication, the
UserCreator->createUser()
function should never returnnull
. Contrary to theUserCreatorInterface
documentation, returningnull
in the context of a delegated authentication will create a loop redirect between the identity provider and your Symfony application.Since
UserCreator->createUser()
is called in the context of a SymfonyAuthenticationProviderInterface
, returningnull
will throw anAuthenticationException
and Symfony is going to redirect the user to the login form. But the login form is located at the identity provider and it just told Symfony that the guy was a legitimate user. From there, the loop is created.Therefore, your application should always trust the SSO service and create the user even if you don't like him.
But, if you still want to deny access to your application, you should just not give him any roles. Here is a modified
UserCreator
class modified from the example in the Getting Started guide:Not sure if this is an issue. Perhaps this is more a subject for a cookbook?
I hope this will help.