Using the origin parameter as originally documented by OmniAuth causes an error when attempting to authenticate with some IDPs, specifically Google as an IDP via a custom SAML 2.0 app integration. Initiating the SAML request with a URL containing an origin param raises an invalid ticket error from the Ruby SAML gem.
So a request URL such as the following: https://test-app.com/auth/saml/2/callback?origin=something
Gives the following error on receipt of the SAML response from Google:
Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, The status code of the Response was not Success, was Requester => RequestDenied -> Invalid request, ACS Url in request `https://test-app.com/auth/saml/2/callback?origin=something` doesn't match configured ACS Url `https://test-app.com/auth/saml/2/callback`.
HTTP Origin header (https://accounts.google.com) didn't match request.base_url (https://test-app.com/)
Fortunately, a simple solution is to submit the parameter in the request body instead. I have created a pull request for the main OmniAuth gem to reflect that this is possible now that all authentication requests are supposed to use POST. I am flagging the issue here in case others end up searching for the problem, and also to offer to provide some origin parameter documentation in a pull request to this gem if you think it would be beneficial.
Using the
originparameter as originally documented by OmniAuth causes an error when attempting to authenticate with some IDPs, specifically Google as an IDP via a custom SAML 2.0 app integration. Initiating the SAML request with a URL containing an origin param raises an invalid ticket error from the Ruby SAML gem. So a request URL such as the following:https://test-app.com/auth/saml/2/callback?origin=somethingGives the following error on receipt of the SAML response from Google:
Fortunately, a simple solution is to submit the parameter in the request body instead. I have created a pull request for the main OmniAuth gem to reflect that this is possible now that all authentication requests are supposed to use POST. I am flagging the issue here in case others end up searching for the problem, and also to offer to provide some origin parameter documentation in a pull request to this gem if you think it would be beneficial.