When trying to use both lightSAML and form_login authentication, with form_login as the default authentication, lightSAML overwrites the login_path and use_forward parameters for the security.authentication.form_entry_point (FormAuthenticationEntryPoint). As a result all authentication requests always go to the SAML login page.
For our specific case, we have a a variety of corporate customers. Most companies use our built in forms based authentication. However, some companies want to use SSO with their own identity providers (via SAML). We'd like to have some magic in our login page that detects (probably by the host subdomain or something else in the URL) if the user should continue with the standard forms login or be redirected to their specific identity provider(via /saml/login).
In src/LightSaml/SpBundle/DependencyInjection/Security/Factory/LightSamlSpFactory.php, the createEntryPoint should only modify the 'security.authentication.form_entry_point' definition if the $defaultEntryPointId is null, the same way Symfony's HttpDigestFactory and HttpBasicFactory do. Adding the following to the beginning of the createEntryPoint method fixes the problem:
if ($defaultEntryPointId !== null) {
return $defaultEntryPointId;
}
Or even better, add a configuration option so developers can explicitly specify if they want lightSAML to be the default login page or not:
When trying to use both lightSAML and form_login authentication, with form_login as the default authentication, lightSAML overwrites the login_path and use_forward parameters for the security.authentication.form_entry_point (FormAuthenticationEntryPoint). As a result all authentication requests always go to the SAML login page.
For our specific case, we have a a variety of corporate customers. Most companies use our built in forms based authentication. However, some companies want to use SSO with their own identity providers (via SAML). We'd like to have some magic in our login page that detects (probably by the host subdomain or something else in the URL) if the user should continue with the standard forms login or be redirected to their specific identity provider(via /saml/login).
In src/LightSaml/SpBundle/DependencyInjection/Security/Factory/LightSamlSpFactory.php, the createEntryPoint should only modify the 'security.authentication.form_entry_point' definition if the $defaultEntryPointId is null, the same way Symfony's HttpDigestFactory and HttpBasicFactory do. Adding the following to the beginning of the createEntryPoint method fixes the problem:
Or even better, add a configuration option so developers can explicitly specify if they want lightSAML to be the default login page or not: