diff --git a/build/lemonldap-ng/doc/4.5-SAML-authentication-backend.html b/build/lemonldap-ng/doc/4.5-SAML-authentication-backend.html
index 1a07d68e8..7a484ce75 100644
--- a/build/lemonldap-ng/doc/4.5-SAML-authentication-backend.html
+++ b/build/lemonldap-ng/doc/4.5-SAML-authentication-backend.html
@@ -364,7 +364,9 @@ $ openssl rsa -pubout -in private_key.pem -out public_key.pem
request
Allow proxied authentication: allow an authentication response to be
- issued from another IDP that the one we register (proxy IDP)
+ issued from another IDP that the one we register (proxy IDP). If you
+ disallow this, you should also disallow direct login form IDP, because
+ proxy restiction is set in authentication requests.
SSO binding: force binding to use for SSO (http-redirect, http-post,
etc.)
@@ -375,6 +377,10 @@ $ openssl rsa -pubout -in private_key.pem -out public_key.pem
Resolution rule: Perl expression that will be evaluate to know if
this IDP is the default for the connected user. You can use for example
$ENV{ to get user's IP.
+
+ Allow login from IDP: allow a user to connect directly from an IDP
+ link. In this case, authentication is not a response to an issued
+ authentication request, and we have less control on conditions.
Partner IDP
diff --git a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
index 6af012468..330fee827 100644
--- a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
+++ b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
@@ -60,7 +60,7 @@ sub cstruct {
. ":samlIDPMetaDataXML:filearea",
samlIDPMetaDataOptions => {
_nodes => [
- qw(samlIDPMetaDataOptionsNameIDFormat samlIDPMetaDataOptionsForceAuthn samlIDPMetaDataOptionsAllowProxiedAuthn samlIDPMetaDataOptionsSSOBinding samlIDPMetaDataOptionsSLOBinding samlIDPMetaDataOptionsResolutionRule)
+ qw(samlIDPMetaDataOptionsNameIDFormat samlIDPMetaDataOptionsForceAuthn samlIDPMetaDataOptionsAllowProxiedAuthn samlIDPMetaDataOptionsSSOBinding samlIDPMetaDataOptionsSLOBinding samlIDPMetaDataOptionsResolutionRule samlIDPMetaDataOptionsAllowLoginFromIDP)
],
samlIDPMetaDataOptionsNameIDFormat =>
"text:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsNameIDFormat",
@@ -74,6 +74,8 @@ sub cstruct {
"text:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsSLOBinding",
samlIDPMetaDataOptionsResolutionRule =>
"textarea:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsResolutionRule",
+ samlIDPMetaDataOptionsAllowLoginFromIDP =>
+"bool:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsAllowLoginFromIDP",
},
}
}
@@ -1103,6 +1105,7 @@ sub defaultConf {
'samlIDPMetaDataOptionsSSOBinding' => '',
'samlIDPMetaDataOptionsSLOBinding' => '',
'samlIDPMetaDataOptionsResolutionRule' => '',
+ 'samlIDPMetaDataOptionsAllowLoginFromIDP' => '1',
}
},
samlServicePrivateKey => '',
@@ -1194,6 +1197,7 @@ sub subDefaultConf {
'samlIDPMetaDataOptionsSSOBinding' => '',
'samlIDPMetaDataOptionsSLOBinding' => '',
'samlIDPMetaDataOptionsResolutionRule' => '',
+ 'samlIDPMetaDataOptionsAllowLoginFromIDP' => '1',
},
};
}
diff --git a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
index 335c2892a..71b8fd1fe 100644
--- a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
+++ b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
@@ -206,6 +206,7 @@ sub en {
samlIDPMetaDataOptionsForceAuthn => 'Force authentication',
samlIDPMetaDataOptionsAllowProxiedAuthn =>
'Allow proxied authentication',
+ samlIDPMetaDataOptionsAllowLoginFromIDP => 'Allow login from IDP',
samlIDPMetaDataOptionsSSOBinding => 'SSO binding',
samlIDPMetaDataOptionsSLOBinding => 'SLO binding',
samlIDPMetaDataOptionsResolutionRule => 'Resolution rule',
@@ -419,6 +420,8 @@ sub fr {
samlIDPMetaDataOptionsForceAuthn => 'Authentification forcée',
samlIDPMetaDataOptionsAllowProxiedAuthn =>
'Authentification proxy autorisée',
+ samlIDPMetaDataOptionsAllowLoginFromIDP =>
+ 'Authentification depuis le fournisseur autorisée',
samlIDPMetaDataOptionsSSOBinding => 'Méthode SSO',
samlIDPMetaDataOptionsSLOBinding => 'Méthode SLO',
samlIDPMetaDataOptionsResolutionRule => 'Règle de résolution',
diff --git a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm
index 808f4aaad..d79961d0a 100644
--- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/AuthSAML.pm
@@ -367,6 +367,16 @@ sub extractFormInfo {
}
}
+ # Check if we accept direct login from IDP
+ my $allowLoginFromIDP =
+ $self->{samlIDPMetaDataOptions}->{$idp}
+ ->{samlIDPMetaDataOptionsAllowLoginFromIDP};
+ if ( !$assertion_responded and !$allowLoginFromIDP ) {
+ $self->lmLog( "Direct login from IDP $idp is not allowed",
+ 'error' );
+ return PE_ERROR;
+ }
+
# Force redirection to portal if no urldc found
# (avoid displaying the whole SAML URL in user browser URL field)
$self->{mustRedirect} = 1 unless ( $self->{urldc} );