-
Notifications
You must be signed in to change notification settings - Fork 444
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SAML2 stateless #1218
Comments
Hi @juliangums. This is a bit tricky, but fundamentally you must create state if your SAML service provider (app) is going to kick off the authentication process (SP-initiated flow). This means there's no statelessness on The other type of SAML flow is IDP-initiated (much less common) where the authentication service creates a valid, signed message on its own, and redirects the user, unsolicited, to the service provider. This is a "stateless" SAML flow, because the SP hadn't created state in advance. For the service provider to accept this unsolicited inbound request, we make the So that's why we set stateless on the receiving side, not the sending side. I haven't used filament-socialite, but I would assume that the way it works is that you hit the app (not logged in) and you're offered a choice of socialite logins (including SAML2), and if you choose to use SAML2 you're redirected to an IDP to log in and then you come back to the SP. In this case, the flow wouldn't be stateless. Can you describe more about the issue you're seeing, as I would have thought the default behaviour should be what your app expects... |
Thanks for your explaination/help @27pchrisl. It seems like it's sending a stateful request to the IDP (Microsoft Entra) but thinks it is receiving a stateless response back although there is a It registers the provider redirect here: Here is where the callback is registered: https://github.com/DutchCodingCompany/filament-socialite/blob/main/routes/web.php#L28 Issue 1 is when the But even if I just override the call to the When following the former mentioned callback https://github.com/DutchCodingCompany/filament-socialite/blob/main/routes/web.php#L28 the method registered there calls the Now the interesting part, this is where it determines if the provider is stateless or not by calling its For some reason however, further down here https://github.com/DutchCodingCompany/filament-socialite/blob/main/src/Http/Controllers/SocialiteLoginController.php#L59-L61 Any idea how to overcome these two issues? |
@27pchrisl ok as for the state that can't be decrypted it is because it's not used for the RelayState but rather a random string you're generating here https://github.com/SocialiteProviders/Providers/blob/master/src/Saml2/Provider.php#L206 It looks like the other issue is also down to the fact that |
@27pchrisl after using the workaround that is also implemented in the package soon, it works if I use However, it still fails as the and the
Any idea why this is happening? |
@juliangums it looks like
Are you still having the same failure as you started with or something different? |
@27pchrisl The The |
@27pchrisl I'm unsure if I understand it correctly but I am trying to make SAML2 work with Filament Socialite https://github.com/DutchCodingCompany/filament-socialite
I am experiencing issues and I noticed that it is due to how the stateless method and attribute is implemented in the SAML2 driver. I have been through the comments of this issue #955 and I still don't quite get why it was implemented in a way that it does not set the stateless attribute to true when calling ->stateless()->redirect(). isStateless() always returns false as that is how it is defined in the AbstractProvider class. hasInvalidState() therefore also always tries to find the state in the response but because it is stateless it does not find it and therefore always returns true. Sure I can still get the user through ->stateless()->user() but for integration with the mentioned package it will check whether to use ->stateless()->user() or ->user() based on the isStateless() return. Is there no way to set this up before redirect() as other drivers do it or even simply set $stateless to true for the SAML2 driver? Other drivers do not seem to have this issue as they seem to be built in the standardised way. I don't understand why this one doesn't. Is this a design choice or technical limitation? I'm totally new to SAML2 and all this so I wouldn't know but I would like a way to make it work.
The text was updated successfully, but these errors were encountered: