Comments (5)
Fusty
commented on August 16, 2024
@chrismccracken I originally put this on the metadata issue that was nearly identical to this. Apologies.
When will users be hitting this login URI? Specifically "$SPEndpointHostname/dotsaml/login/$SAML_Config_UUID". Where in the series of requests is that occuring?
Are we expecting that to be the initial GET request to begin the login process, or is it the POST request as a user is returning from an Idp after authenticating there?
When a user hits /c or /dotAdmin or something else in the includePathArray (which can be user-defined) we figure out where to send them based on if their current Site is associated with a saml configuration. When they hit /dotsaml/login/{UUID} there isn't any request that occurs before that where we hang on to, so we don't know where they should return to.
Also there is zero guarantee that they'll initiate login on the same domain which they will return on. This means we'll have lost any indication of what they were originally requesting and have to pick some sensible default place to send them.
from plugin-com.dotcms.dotsaml.
chrismccracken
commented on August 16, 2024
$SPEndpointHostname/dotsaml/login/$SAML_Config_UUID is the assertion consumer service (ACS) URL that receives the SAMLResponse and processes the user's login to dotCMS after authenticating to the IDP. Clients should never initiate a connection here, all authentication sessions should be initiated by a request to a protected resource that they do not have current session access to. The initiating request should be sent to the IDP as a redirect URL parameter that the IDP can then pass back as a query string param for use by the ACS. The ACS will redirect to the original resource after the dotCMS login has been processed.
There is an outstanding issue with cross-domain requests within dotCMS where the $SPEndpointHostname does not match the initiation URL hostname, which will be resolved via a future enhancement and we do not intend to address during this code effort (there are additional cross-host session security issues around this).
from plugin-com.dotcms.dotsaml.
Fusty
commented on August 16, 2024
Excellent, thanks for the clarification. I need to read up on how IDPs handle the redirect parameters.
from plugin-com.dotcms.dotsaml.
chrismccracken
commented on August 16, 2024
The redirect URL was something that was working in the prior plugin before this development effort, FWIW.
from plugin-com.dotcms.dotsaml.
gabbydotCMS
commented on August 16, 2024
Tested with code from ethode-sp-endpoint-acs-rework branch.
We still need to test integration with IdP, but the endpoint is at the right URL and available.
from plugin-com.dotcms.dotsaml.
Related Issues (20)
- Merge latest code into 4.0-4.3.x (master branch for 4.3.x) HOT 1
- Signature cannot be validated HOT 4
- Wrong request binding HOT 9
- Exception when entering dummy info HOT 4
- URL parameters are being lost after redirecting to the IdP
- Checking SAML Config file per each backend request HOT 13
- Response Signated Signed-ness can flip when xml is read HOT 1
- Cert/Key on DOS format file are not processed
- Issues with keystore.entry.id
- Allow SAML logout without cross-origin XHR request to SAML auth server, thus avoiding CORS restrictions HOT 1
- Add deprecation notice HOT 1
- REQ#1 - ERROR - SP Metadata not being generated HOT 4
- SAML Log File HOT 2
- REQ#1 - ERROR - SP Metadata Endpoint not working as expected HOT 9
- REQ#1 - SP Metadata - AssertionConsumerService's Location should be the Login Endpoint HOT 3
- REQ#1 - ERROR - Login Endpoint returns: 405 - Method Not Allowed HOT 1
- SP Endponint Hostname is still incorrect (both property name and usage) HOT 3
- java.lang.IndexOutOfBoundsException when handling the assertion in the response message form the IdP HOT 3
- Security Issue: AuthnRequestsSigned on SP Metadata should always be true HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from plugin-com.dotcms.dotsaml.