search

lightSAML / SpBundle

SAML2 SP Symfony Bundle based on LightSAML
https://www.lightsaml.com/SP-Bundle/
MIT License
66 stars 70 forks source link

Infinine loop when using stateless firewall #84

Open hoonzis opened 4 years ago

hoonzis commented 4 years ago

When using statless firewall the application goes into infinte loop after sucessfull authentication. The symptoms are similar to what is described here: https://github.com/lightSAML/SpBundle/issues/35

The loop looks like this:

GET lightsaml_sp.discovery
GET lightsaml_sp.login
POST lightsaml_sp.login_check
GET /some/route/needs/auth/ => An AuthenticationException was thrown; redirecting to authentication entry point. A Token was not found in the TokenStorage

Our configuration looks like this:

pattern:            (^/)
    logout_on_user_change: true
    stateless: true

    form_login:
        provider:       hybrid
        login_path:     /sso/form
        check_path:     /sso/formcheck
        csrf_token_generator: security.csrf.token_manager

    light_saml_sp:
        username_mapper: lightsaml_sp.username_mapper.simple
        provider:       hybrid
        login_path:     /saml/login
        check_path:     /saml/login_check
        user_creator:   user_creator

I understand that the bundle is probably using the user session, to store the token, when SAML authentication response is received. User is then redirected to some default page, and the firewall finds the token in the storage.

What we would need is a way that would force Symfony the set the authentication cookie (phpsession) while redirecting to the default page.

Would there be a configuration option for LightSaml bundle?

frostieDE commented 4 years ago

In my understanding, stateless means that credentials (not tokens) should be passed on every request. So why not remove the stateless listener?