Closed 01e9 closed 7 years ago
01e9
commented
7 years ago I found the problem. We use
user <-> webApp (forward LightSaml requests to api) <-> api (lightSaml)so on api the sessions is lost on every new request.
I will create a store.request service and store ids in memcache
01e9
commented
7 years ago Thank you very much for this bundle! Because of flexible configuration and architecture, it was hard, but I managed to complete my task.
tmilos
commented
7 years ago @arteniioleg The id_state store is remembering the ID of the AuthnRequest you sent, so you can validate InResponseTo of the incoming Response, afterwards that ID is flushed from the store. It's a security measure used to prevent repeated responses. Since web browser sso SAML profile is in the front bearer channel - aka browser, and you have a user session both during request and response, default id state store implementation in LightSAML is the session store. If you wish you can store it somewhere else. Make a dummy implementation is strongly discouraged due to security concerns and vulnerabilities you'll get open to.
01e9
commented
7 years ago @tmilos Thank you for details. I know about id_state and it works on my side, ids are saved in memcache and the same id doesn't pass /login_check twice.
I skip IdEntry store (database entries) since on successful login I generate an OAuth token and use it in future requests (our system is an API with OAuth tokens, SAML is used only on login part, I have a separate firewall only for /saml urls)
I get
because id store doesn't save any id. Should I save the id manually on login action? (I have overwritten the DefaultController in a child bundle)
~P.S. I don't know why, this bundle is VERY HARD to work with. The documentation is poor and the architecture is complicated. I usually spend 1-3 hours in order to find how one parameter is used, why I get an error.~ Sorry, I've found architecture description