SAML: add AllowLoginFromIDP option
This commit is contained in:
parent
5c26f07d27
commit
aa5831493a
|
@ -364,7 +364,9 @@ $ openssl rsa -pubout -in private_key.pem -out public_key.pem
|
||||||
request</li>
|
request</li>
|
||||||
|
|
||||||
<li>Allow proxied authentication: allow an authentication response to be
|
<li>Allow proxied authentication: allow an authentication response to be
|
||||||
issued from another IDP that the one we register (proxy IDP)</li>
|
issued from another IDP that the one we register (proxy IDP). If you
|
||||||
|
disallow this, you should also disallow direct login form IDP, because
|
||||||
|
proxy restiction is set in authentication requests.</li>
|
||||||
|
|
||||||
<li>SSO binding: force binding to use for SSO (http-redirect, http-post,
|
<li>SSO binding: force binding to use for SSO (http-redirect, http-post,
|
||||||
etc.)</li>
|
etc.)</li>
|
||||||
|
@ -375,6 +377,10 @@ $ openssl rsa -pubout -in private_key.pem -out public_key.pem
|
||||||
<li>Resolution rule: Perl expression that will be evaluate to know if
|
<li>Resolution rule: Perl expression that will be evaluate to know if
|
||||||
this IDP is the default for the connected user. You can use for example
|
this IDP is the default for the connected user. You can use for example
|
||||||
$ENV{ to get user's IP.</li>
|
$ENV{ to get user's IP.</li>
|
||||||
|
|
||||||
|
<li>Allow login from IDP: allow a user to connect directly from an IDP
|
||||||
|
link. In this case, authentication is not a response to an issued
|
||||||
|
authentication request, and we have less control on conditions.</li>
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
<h3 class="heading-1-1"><span id="HPartnerIDPconfiguration">Partner IDP
|
<h3 class="heading-1-1"><span id="HPartnerIDPconfiguration">Partner IDP
|
||||||
|
|
|
@ -60,7 +60,7 @@ sub cstruct {
|
||||||
. ":samlIDPMetaDataXML:filearea",
|
. ":samlIDPMetaDataXML:filearea",
|
||||||
samlIDPMetaDataOptions => {
|
samlIDPMetaDataOptions => {
|
||||||
_nodes => [
|
_nodes => [
|
||||||
qw(samlIDPMetaDataOptionsNameIDFormat samlIDPMetaDataOptionsForceAuthn samlIDPMetaDataOptionsAllowProxiedAuthn samlIDPMetaDataOptionsSSOBinding samlIDPMetaDataOptionsSLOBinding samlIDPMetaDataOptionsResolutionRule)
|
qw(samlIDPMetaDataOptionsNameIDFormat samlIDPMetaDataOptionsForceAuthn samlIDPMetaDataOptionsAllowProxiedAuthn samlIDPMetaDataOptionsSSOBinding samlIDPMetaDataOptionsSLOBinding samlIDPMetaDataOptionsResolutionRule samlIDPMetaDataOptionsAllowLoginFromIDP)
|
||||||
],
|
],
|
||||||
samlIDPMetaDataOptionsNameIDFormat =>
|
samlIDPMetaDataOptionsNameIDFormat =>
|
||||||
"text:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsNameIDFormat",
|
"text:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsNameIDFormat",
|
||||||
|
@ -74,6 +74,8 @@ sub cstruct {
|
||||||
"text:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsSLOBinding",
|
"text:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsSLOBinding",
|
||||||
samlIDPMetaDataOptionsResolutionRule =>
|
samlIDPMetaDataOptionsResolutionRule =>
|
||||||
"textarea:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsResolutionRule",
|
"textarea:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsResolutionRule",
|
||||||
|
samlIDPMetaDataOptionsAllowLoginFromIDP =>
|
||||||
|
"bool:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsAllowLoginFromIDP",
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -1103,6 +1105,7 @@ sub defaultConf {
|
||||||
'samlIDPMetaDataOptionsSSOBinding' => '',
|
'samlIDPMetaDataOptionsSSOBinding' => '',
|
||||||
'samlIDPMetaDataOptionsSLOBinding' => '',
|
'samlIDPMetaDataOptionsSLOBinding' => '',
|
||||||
'samlIDPMetaDataOptionsResolutionRule' => '',
|
'samlIDPMetaDataOptionsResolutionRule' => '',
|
||||||
|
'samlIDPMetaDataOptionsAllowLoginFromIDP' => '1',
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
samlServicePrivateKey => '',
|
samlServicePrivateKey => '',
|
||||||
|
@ -1194,6 +1197,7 @@ sub subDefaultConf {
|
||||||
'samlIDPMetaDataOptionsSSOBinding' => '',
|
'samlIDPMetaDataOptionsSSOBinding' => '',
|
||||||
'samlIDPMetaDataOptionsSLOBinding' => '',
|
'samlIDPMetaDataOptionsSLOBinding' => '',
|
||||||
'samlIDPMetaDataOptionsResolutionRule' => '',
|
'samlIDPMetaDataOptionsResolutionRule' => '',
|
||||||
|
'samlIDPMetaDataOptionsAllowLoginFromIDP' => '1',
|
||||||
},
|
},
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -206,6 +206,7 @@ sub en {
|
||||||
samlIDPMetaDataOptionsForceAuthn => 'Force authentication',
|
samlIDPMetaDataOptionsForceAuthn => 'Force authentication',
|
||||||
samlIDPMetaDataOptionsAllowProxiedAuthn =>
|
samlIDPMetaDataOptionsAllowProxiedAuthn =>
|
||||||
'Allow proxied authentication',
|
'Allow proxied authentication',
|
||||||
|
samlIDPMetaDataOptionsAllowLoginFromIDP => 'Allow login from IDP',
|
||||||
samlIDPMetaDataOptionsSSOBinding => 'SSO binding',
|
samlIDPMetaDataOptionsSSOBinding => 'SSO binding',
|
||||||
samlIDPMetaDataOptionsSLOBinding => 'SLO binding',
|
samlIDPMetaDataOptionsSLOBinding => 'SLO binding',
|
||||||
samlIDPMetaDataOptionsResolutionRule => 'Resolution rule',
|
samlIDPMetaDataOptionsResolutionRule => 'Resolution rule',
|
||||||
|
@ -419,6 +420,8 @@ sub fr {
|
||||||
samlIDPMetaDataOptionsForceAuthn => 'Authentification forcée',
|
samlIDPMetaDataOptionsForceAuthn => 'Authentification forcée',
|
||||||
samlIDPMetaDataOptionsAllowProxiedAuthn =>
|
samlIDPMetaDataOptionsAllowProxiedAuthn =>
|
||||||
'Authentification proxy autorisée',
|
'Authentification proxy autorisée',
|
||||||
|
samlIDPMetaDataOptionsAllowLoginFromIDP =>
|
||||||
|
'Authentification depuis le fournisseur autorisée',
|
||||||
samlIDPMetaDataOptionsSSOBinding => 'Méthode SSO',
|
samlIDPMetaDataOptionsSSOBinding => 'Méthode SSO',
|
||||||
samlIDPMetaDataOptionsSLOBinding => 'Méthode SLO',
|
samlIDPMetaDataOptionsSLOBinding => 'Méthode SLO',
|
||||||
samlIDPMetaDataOptionsResolutionRule => 'Règle de résolution',
|
samlIDPMetaDataOptionsResolutionRule => 'Règle de résolution',
|
||||||
|
|
|
@ -367,6 +367,16 @@ sub extractFormInfo {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Check if we accept direct login from IDP
|
||||||
|
my $allowLoginFromIDP =
|
||||||
|
$self->{samlIDPMetaDataOptions}->{$idp}
|
||||||
|
->{samlIDPMetaDataOptionsAllowLoginFromIDP};
|
||||||
|
if ( !$assertion_responded and !$allowLoginFromIDP ) {
|
||||||
|
$self->lmLog( "Direct login from IDP $idp is not allowed",
|
||||||
|
'error' );
|
||||||
|
return PE_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
# Force redirection to portal if no urldc found
|
# Force redirection to portal if no urldc found
|
||||||
# (avoid displaying the whole SAML URL in user browser URL field)
|
# (avoid displaying the whole SAML URL in user browser URL field)
|
||||||
$self->{mustRedirect} = 1 unless ( $self->{urldc} );
|
$self->{mustRedirect} = 1 unless ( $self->{urldc} );
|
||||||
|
|
Loading…
Reference in New Issue
Block a user