Discussion:
Thoughts/best practice around SP to IDP token passing
Daniel Gay
2014-08-15 15:26:51 UTC
Permalink
Requesting community's thoughts on best approach for following scenario:

I have an SP configured to protect several domains (each representing a
different application) and also an IDP configured with an external login
handler. Single sign-on works perfectly fine. I would like to add some
additional functionality on the IDP (all custom code that I am writing)
that would require a token be sent by the SP/protected app during the
authentication flow. What is the best way to make this token available to
my custom login handler?

To be more clear, heres what I'd like:

1. user goes to URL in browser https://myapp.mybiz.com/foo?token=abcd1234
2. SP intercepts and begins taking user through SSO flow
3. redirect occurs to IDP
4. IDP forwards request to configured login handler
5. login handler (custom Java code) somehow gets the token

It's step 5 that I'm unclear as to the best way to do that. The token
(well really, I'd like the whole URL) gets lost in the redirects, but I was
hoping that the original URL would be sent to the IDP and that I'd somehow
have that info available to my custom code.

Is this possible? Any thoughts or direction greatly appreciated.

Dan
Paul Hethmon
2014-08-15 15:30:47 UTC
Permalink
On Aug 15, 2014, at 11:26 AM, Daniel Gay <daniel.gay-0UMBjBLXp4DkQYj/***@public.gmane.org<mailto:daniel.gay-0UMBjBLXp4DkQYj/***@public.gmane.org>> wrote:

It's step 5 that I'm unclear as to the best way to do that. The token (well really, I'd like the whole URL) gets lost in the redirects, but I was hoping that the original URL would be sent to the IDP and that I'd somehow have that info available to my custom code.

If you control both sides, you could pass the value in the SAML RelayState. Otherwise, perhaps a domain cookie.

Paul

Paul Hethmon
Chief Software Architect
paul.hethmon-NC06ibP+gDOju1H+chf1WFaTQe2KTcn/@public.gmane.org<mailto:paul.hethmon-NC06ibP+gDOju1H+chf1WFaTQe2KTcn/@public.gmane.org>
Cantor, Scott
2014-08-15 17:08:22 UTC
Permalink
Post by Daniel Gay
It's step 5 that I'm unclear as to the best way to do that. The token
(well really, I'd like the whole URL) gets lost in the redirects, but I
was hoping that the original URL would be sent to the IDP and that I'd
somehow have that info available to my custom code.
Is this possible? Any thoughts or direction greatly appreciated.
Anything is possible but access to the URL is prevented by design in the
SAML protocol other than by using RelayState and making assumptions that
only apply if you control both ends.

The formal way to do what you're after is with a SAML extension in the
AuthnRequest.

-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Daniel Gay
2014-08-15 19:04:36 UTC
Permalink
Ok thanks Paul and Scott. It seems like relay state might be a solution.

I changed the relay state setting on my SP and can now see the requested
URL passed as parameter to the IDP. The IDP responds with a 302 though to
the AuthnEngine servlet, without the relay state parameter. If I can make
an educated guess, the IDP must store the relay state somewhere for
eventual sending back to the SP. From my custom login handler, where can I
get it?
Post by Cantor, Scott
Post by Daniel Gay
It's step 5 that I'm unclear as to the best way to do that. The token
(well really, I'd like the whole URL) gets lost in the redirects, but I
was hoping that the original URL would be sent to the IDP and that I'd
somehow have that info available to my custom code.
Is this possible? Any thoughts or direction greatly appreciated.
Anything is possible but access to the URL is prevented by design in the
SAML protocol other than by using RelayState and making assumptions that
only apply if you control both ends.
The formal way to do what you're after is with a SAML extension in the
AuthnRequest.
-- Scott
--
To unsubscribe from this list send an email to
--
Daniel Gay
Quentin Systems LLC
571-249-4783
Paul Hethmon
2014-08-15 19:24:33 UTC
Permalink
On Aug 15, 2014, at 3:04 PM, Daniel Gay <daniel.gay-0UMBjBLXp4DkQYj/***@public.gmane.org<mailto:daniel.gay-0UMBjBLXp4DkQYj/***@public.gmane.org>> wrote:

I changed the relay state setting on my SP and can now see the requested URL passed as parameter to the IDP. The IDP responds with a 302 though to the AuthnEngine servlet, without the relay state parameter. If I can make an educated guess, the IDP must store the relay state somewhere for eventual sending back to the SP. From my custom login handler, where can I get it?


It's returned as a field of the SAML form that is posted to your SP. One field is the SAML Response, the other is RelayState.

Paul

Paul Hethmon
Chief Software Architect
paul.hethmon-NC06ibP+gDOju1H+chf1WFaTQe2KTcn/@public.gmane.org<mailto:paul.hethmon-NC06ibP+gDOju1H+chf1WFaTQe2KTcn/@public.gmane.org>
Cantor, Scott
2014-08-15 19:27:40 UTC
Permalink
Post by Daniel Gay
I changed the relay state setting on my SP and can now see the requested
URL passed as parameter to the IDP. The IDP responds with a 302 though
to the AuthnEngine servlet, without the relay state parameter. If I can
make an educated guess, the IDP must store the relay state somewhere for
eventual sending back to the SP. From my custom login handler, where can
I get it?
I don't know that you can. You're not meant to, so it's not really a goal.

-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Daniel Gay
2014-08-15 19:31:12 UTC
Permalink
Ok, thanks for the info. Sounds like my best bet is to re-think the
feature.

Dan
Post by Cantor, Scott
Post by Daniel Gay
I changed the relay state setting on my SP and can now see the requested
URL passed as parameter to the IDP. The IDP responds with a 302 though
to the AuthnEngine servlet, without the relay state parameter. If I can
make an educated guess, the IDP must store the relay state somewhere for
eventual sending back to the SP. From my custom login handler, where can
I get it?
I don't know that you can. You're not meant to, so it's not really a goal.
-- Scott
--
To unsubscribe from this list send an email to
--
Daniel Gay
Quentin Systems LLC
571-249-4783
Cantor, Scott
2014-08-15 19:36:48 UTC
Permalink
Post by Daniel Gay
Ok, thanks for the info. Sounds like my best bet is to re-think the
feature.
I would urge that regardless. If you want to discriminate, you should be
assigning multiple entityIDs to the pieces of content you have and treat
them as separate SPs.

-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Cantor, Scott
2014-08-15 19:29:21 UTC
Permalink
Post by Cantor, Scott
I don't know that you can. You're not meant to, so it's not really a goal.
Looks like it's in the Saml2LoginContext class, so accessing the login
context is how.

-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Paul Hethmon
2014-08-15 19:43:57 UTC
Permalink
On Aug 15, 2014, at 3:29 PM, Cantor, Scott <cantor.2-ZbGKxL/***@public.gmane.org<mailto:***@osu.edu>> wrote:

I don't know that you can. You're not meant to, so it's not really a goal.

Looks like it's in the Saml2LoginContext class, so accessing the login
context is how.

Duh, yea, I should really read the question. It's there and you can get to it as Scott indicates.

I had at one point to hack the Shib code to manipulate it for an SP, very ugly, very wrong, but big customers sometimes get what they want instead of what's right.

Paul

Paul Hethmon
Chief Software Architect
paul.hethmon-NC06ibP+gDOju1H+chf1WFaTQe2KTcn/@public.gmane.org<mailto:paul.hethmon-NC06ibP+gDOju1H+chf1WFaTQe2KTcn/@public.gmane.org>
Loading...