laravel-saml2 icon indicating copy to clipboard operation
laravel-saml2 copied to clipboard

Published 20 hours ago verified publisher icon 24Slides

Redirect Loop after SSO

Open UNICodehORN opened this issue 2 years ago • 4 comments

I configured my IDP and followed the instructions given in the Readme section.

When I call https://url-of-my-website/saml2/{uuid}/login I see the SSO page of my IDP. After successfully logging in I am ending up in a redirect loop: https://my-idp-sso-provider/saml2/idp/?SAMLRequest=&RelayState=https://url-of-my-website/saml2/{uuid}/login

For each redirect I see [2022-08-09 18:06:28] local.DEBUG: [Saml2] Tenant resolved {"uuid":"uuid","id":1,"key":"sso_key"} in my laravel log.

` Event::listen(SignedIn::class, function (SignedIn $event) {

        $messageId = $event->getAuth()->getLastMessageId();

        // your own code preventing reuse of a $messageId to stop replay attacks
        $samlUser = $event->getSaml2User();

        $userData = [
            'id' => $samlUser->getUserId(),
            'attributes' => $samlUser->getAttributes(),
            'assertion' => $samlUser->getRawSamlAssertion()
        ];

        // Just dump login works
        //dd($userData);

        $username = $userData["attributes"]["username"]; // find user by ID or attribute
        $user = User::where('name',$username) -> first();

        // Login a user.
        Auth::loginUsingId($user->id);
    });

`

From the Kernel ` protected $middlewareGroups = [ 'web' => [ \App\Http\Middleware\EncryptCookies::class, \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class, \Illuminate\Session\Middleware\StartSession::class, \Illuminate\View\Middleware\ShareErrorsFromSession::class, \App\Http\Middleware\VerifyCsrfToken::class, \Illuminate\Routing\Middleware\SubstituteBindings::class, ],

    'saml' => [
        \App\Http\Middleware\EncryptCookies::class,
        \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
        \Illuminate\Session\Middleware\StartSession::class,
    ],

    'api' => [
        // \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
        'throttle:api',
        \Illuminate\Routing\Middleware\SubstituteBindings::class,
    ],
];

`

From saml2.php 'routesMiddleware' => ['saml'],

UNICodehORN avatar Aug 09 '22 18:08 UNICodehORN

Interesting thing I noticed, if I add ?returnTo=someUrl to the login URL I am redirect to that URL after the login and I am also logged in as the correct user.

No redirect loop in that case.

UNICodehORN avatar Aug 09 '22 18:08 UNICodehORN

Hello friends. I solved an problem like this in my project setting a --relayStateUrl on create tenant statement. Before a recognize this, on the azure test redirect are normal, but in my localhost enviroment a looping are started. looking the possible causes i found this field empty on database tenant register, so, put any url and looping are solved.

I hope this information help.

flpdev avatar May 19 '23 19:05 flpdev

In addition to the other 2 solutions, you can also set SAML2_LOGIN_URL in your environment or add a default for loginRoute in the config file. These would apply for all tenants that don't have a relay_state_url set.

For my case, @UNICodehORN's solution was the best because it's the only way to preserve the original URL that the user was trying to visit. I also set a URL in the config as a fallback.

jamesratcliffe avatar May 25 '23 15:05 jamesratcliffe