A project I'm working on has an issue with the `_user_is_logged_in` requirement introduced in #2916042 (https://www.drupal.org/project/simplesamlphp_auth/issues/2916042). Reverting this change and setting it to `_access: 'TRUE'` resolves the issue for us.

I think our situation is quite the edge-case (see below) so not sure if it's worth reverting #2916042 but I thought I'd put it out here. I'll also provide a patch asap so others can have access to it in case they need it.

Still, I wonder if it's possible to make the access requirement optional or something? I'd rather avoid patching contrib modules if possible.

Some background information on our use-case:

The site (let's call it www.example.com) requires a subscription. In most cases the IDP relies on another service that checks the user's IP to determine access. However, this isn't always possible (due to complicated reasons) so we set up 3 vhost aliases so the IDP has a second mechanism to determine which authentication method it should use if the first fails. That way, schools can use their centralized backend, libraries can use theirs, and so on, as long as they use library.example.com or school.example.com.

The problem arises when users visit the site through the 'main' entrypoint (www.example.com) from an IP that we recognize as a library (or school, for that matter). The site requires users to be authenticated so redirects to IDP, they get authed and are then returned to library.example.com/saml_login/.

When that same person (actually, machine/browser as this often involves public computers) closes the tab, then at a later time tries to access the site through www.example.com they are again redirected to the IDP (as they are logged in on library.example.com/, not www.example.com). The IDP returns them to library.example.com/saml_login/ and they get a 403.

CommentFileSizeAuthor
#10 interdiff-6-10.txt3.98 KBalbertski
#10 simplesamlphp_auth-saml_login_redirect-3112851-10.patch4.33 KBalbertski
#6 3112851-4.patch1.05 KBshamsher_alam
#5 3112851-4.patch1.04 KBshamsher_alam
#3 3112851-3.patch1.04 KBidebr
#3 interdiff-2-3.txt588 bytesidebr
#2 simplesamlphp_auth-3112851-2.patch477 bytesroderickgadellaabsl

Comments

roderickgadellaabsl created an issue. See original summary.

roderickgadellaabsl’s picture

roderickgadellaabsl commented
StatusFileSize
new simplesamlphp_auth-3112851-2.patch477 bytes

Added a patch that should revert 2916042.

idebr’s picture

idebr commented
Title: Issue with saml_login route requirement for only unauthenticated users » /saml_login requires anonymous user, but this path is a redirect destination for users logged in through SAML
Status: Active » Needs review
StatusFileSize
new interdiff-2-3.txt588 bytes
new 3112851-3.patch1.04 KB

Following up from #2916042: Set simplesamlphp_auth.saml_login route requirement for only unauthenticated users: the assumption was that /saml_login is only used as the login page. However, this path is also used for users returning from the IdP.

The login path in 8.x-3.x HEAD is currently:

  1. /saml_login
  2. IdP (user enters credentials)
  3. /simplesaml/module.php/saml/sp/saml2-acs.php/[authsource]
  4. /saml_login (user is authenticated in Drupal at this point)
  5. /user/login
  6. /user

The login path after patch in #3:

  1. /saml_login
  2. IdP (user enters credentials)
  3. /simplesaml/module.php/saml/sp/saml2-acs.php/[authsource]
  4. /saml_login (user is authenticated in Drupal at this point)
  5. /user
kingdutch’s picture

kingdutch
he/him
Primary language English
commented

We've had similar issues with this.

In our case users come from an external platform and should always be logged in. For this reason the external platform uses /saml_login as the landing page. However, this will cause an error pages who had a previous session active.

It looks like #3 would solve the problem.

One addition I'd like to see is for the redirect for authenticated users to respect the destination parameter. That way an external site can link directly to a certain page for authenticated users. This currently works for /user/login as well.

As an example https://www.drupal.org/user/login?destination=/project/simplesamlphp_aut... brings both anonymous and authenticated users to this issue :)

shamsher_alam’s picture

shamsher_alam commented
StatusFileSize
new 3112851-4.patch1.04 KB

Updated Patch.

shamsher_alam’s picture

shamsher_alam commented
StatusFileSize
new 3112851-4.patch1.05 KB
mstrelan’s picture

mstrelan commented

Another interesting edge case:

We're using the require_login module which directs anonymous users to /saml_login. When clicking a link from a Word document to a page on the website, users who are already logged in will be redirected to /saml_login with a 403. This is due to this "feature" in Microsoft Office: You are redirected to a logon page or an error page, or you are prompted for authentication information when you click a hyperlink to a SSO Web site in an Office document.

We solved it with the registry key from the knowledge base article, but this kind of patch could certainly work too. I'm not quite sure system.admin_content is an appropriate default.

mxr576’s picture

mxr576
Primary language Hungarian
Location Hungary
commented

I have just uploaded a patch to a related issue which could solve the this one too, please test: https://www.drupal.org/project/simplesamlphp_auth/issues/3127628#comment...

If it does not solve it, please share your feedback here instead of in the other issue thread.

johne’s picture

johne commented

This patch works great.

albertski’s picture

albertski commented
StatusFileSize
new simplesamlphp_auth-saml_login_redirect-3112851-10.patch4.33 KB
new interdiff-6-10.txt3.98 KB

This patch works great but in my case, I don't want all anonymous users to go to their user page after SAML login and all already authenticated users to go to the admin/content page. I updated the patch and added configuration for anonymous users redirect and authenticated users redirect.

kekkis’s picture

kekkis
he/him
Primary language Finnish
Location Pirkkala
commented

@albertski I installed your patch and tested it. It doesn't look like the 'anonymous' redirect config affects anything at all.

+    if ($this->account->isAnonymous()) {
+      $redirect = $this->config->get('anonymous_saml_login_redirect') ? $this->config->get('anonymous_saml_login_redirect') : '/user';
+    }

I think the reason might be that at the time this code is being executed, the user has already been logged in and therefore is not anonymous.

Otherwise the patch does seem to fix at least something. Further testing is commencing in production soon.

owenbush’s picture

owenbush commented
Status: Needs review » Reviewed & tested by the community

I have reviewed the patch in #3 and it worked great.

Without the patch:

1. /saml_login redirected me to my IdP to login
2. I logged in
3. Redirected to /user
4. Manually navigated to /saml_login after logging in
5. Received a 403 forbidden

With the patch:

1. /saml_login redirected me to my IdP to login
2. I logged in
3. Redirected to /user
4. Manually navigated to /saml_login after logging in
5. Redirected to my /user

We've had a number of patch #3 confirmations, so I'm marking this as RTBC.

As an aside, I tested the patch in #10 and the anonymous user redirect never fired, so it does not seem that the extra work there is in a working state at this time.

sivaprasadc’s picture

sivaprasadc commented

The patch works great in my case. +1 RTBC

karenann’s picture

karenann commented

I am using simpleSAMLphp Authentication 4.0.0 on 10.3.8 and the patch in #10 appears to apply cleanly and functions as I expect. [update] I did not test the anonymous firing so I yield to what others say.
+1 RTBC