Closed (fixed)
Project:
SAML Authentication
Version:
8.x-3.x-dev
Component:
Code
Priority:
Normal
Category:
Feature request
Assigned:
Unassigned
Issue tags:
Reporter:
Created:
29 Sep 2017 at 11:06 UTC
Updated:
29 Apr 2021 at 14:07 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #2
validoll commentedI created patch to add option for use the `Forwarded-For-*` headers.
Comment #3
roderikAs remarked in #2887207-3: Improve support for ADFS, I'm currently still of the opinion that we should probably add OneLogin options to the admin screen, rather than make that generally extensible by modules. (Unless someone comes up with a great way of 'altering' the form and the settings.)
So thanks for doing this.
I think this 'global' setting inside the constructor is indeed the way to go, because of how the OneLogin SAML toolkit has coded things. However I'll wait with committing this, for the opinion of nathandentzau who's working on testability.
Comment #4
andreperazzi commentedI'm getting errors when trying to apply this patch
Comment #5
validoll commentedPlease provide log of errors to investigate.
Do you apply it on version 8.x-2.x?
Comment #6
andreperazzi commentedI'm using 8.x-2.0-alpha1
Git apply was skipping:
This is what I was getting with patch:
So I went there and manually added the lines to SamlService.php
I found that the line
$this->privateTempStore = $temp_store_factory->get('samlauth');was not there, so I added the code after$this->eventDispatcher = $event_dispatcher;So I guess 8.x-2.0-alpha1 is conflicting with this patch.
This code should be merged to the code. It's really helpful and solved my problem when running this SAML module in IBM Bluemix, since it proxies the app.
Comment #7
validoll commentedThis patch for 8.x-2.x-dev not for 8.x-2.0-alpha1.
Latest dev version has many changes in config form.
Comment #8
validoll commentedYou can use this patch for 8.x-2.0-alpha1.
Comment #9
awm commentedI was having the same issue and thought of writing this same exact patch. https://github.com/onelogin/php-saml/issues/290#issuecomment-367619732. Then I tried to configure drupal revers proxy which usually takes care of the headers forwarding. So I did the following:
//condition to tell me that I am on a certain env with
and if you're proxy is doing the ssl termination you may add
Doing this made it all work for me without adding the \OneLogin_Saml2_Utils::setProxyVars(TRUE);
However, I would like to know is there a way to actually extend the module to add \OneLogin_Saml2_Utils::setProxyVars(TRUE); or other options as needed? Perhaps this can be re-written to allow developers to modify and add extra properties?
Comment #10
awm commentedComment #11
roderikSorry for leaving this hanging for so long. The "working on testability" that I mentioned in October 2017, still has not materialized and this will likely not influence it. (I doubt we're going to be making automated tests for this specific feature, so we won't care about this global call.)
Now committed, although with a different setting name.
@awm
Your question is broad ranging / can be interpreted in multiple ways.
Broadly speaking there is definitely a way to extend the module yourself do to this. Services in Drupal can be overridden, so you can implement a child class and extend the constructor.
But if you mean rewriting this module for a generic approach to make it easier to add options to the configuration UI:
1) I doubt that, because there is no generic way in which the SAML Toolkit library handles 'options'. It has a settings object, which is a multi-dimensional array; then there are alterable parameters to the login() / processSLO() / etc methods, and then there are other global methods to call like \OneLogin_Saml2_Utils::setProxyVars(TRUE). This is hard to generalize.
2) I also have doubts about the usefulness of this approach; in my mind having a well thought out settings UI / layout / descriptions, rather than making it generic, can really help people. And this is possible because the amount of configurable options/calls which the library has, is finite, and isn't evolving that fast.
Obviously that still doesn't help if applying patches takes two and a half years...
I considered adding your proposed text to the README, but then saw on the Drupal docs page that the suggested approach (adding $_SERVER['REMOTE_ADDR']) is explicitly discouraged. I opted for linking to the Drupal docs page from the UI instead.
Comment #13
roderikI hope there's no issue with the fact that I applied the fix to 8.x-3.x only.
(The usage stats reveal that there is still a fairly large amount of 8.x-2.x
users, but it's really easy to switch; there's no upgrade path.)
Comment #15
roderikFYI:
I suspect that the 'samlauth_proxy_vars' (i.e. calling
\OneLogin_Saml2_Utils::setProxyVars(TRUE);) and any other settings.php configuration is unnecessary if we add the 'baseurl' setting, as the D7 version has done in https://www.drupal.org/commitlog/commit/79214/3668c3021a0455ae9d2b925006... .I haven't tested it. If somebody feels like testing that, that would be cool. If/when a 4.x branch gets opened, this option is a candidate for removal.
Comment #16
roderikThere is now a checkbox in the configuration UI (of 8.x-3.1) that bypasses the 'samlauth_proxy_vars' option. The aim is that you can test this, before 'samlauth_proxy_vars' gets removed in v4.