SAML: add AllowLoginFromIDP option
This commit is contained in:
parent
5c26f07d27
commit
aa5831493a
|
@ -364,7 +364,9 @@ $ openssl rsa -pubout -in private_key.pem -out public_key.pem
|
|||
request</li>
|
||||
|
||||
<li>Allow proxied authentication: allow an authentication response to be
|
||||
issued from another IDP that the one we register (proxy IDP)</li>
|
||||
issued from another IDP that the one we register (proxy IDP). If you
|
||||
disallow this, you should also disallow direct login form IDP, because
|
||||
proxy restiction is set in authentication requests.</li>
|
||||
|
||||
<li>SSO binding: force binding to use for SSO (http-redirect, http-post,
|
||||
etc.)</li>
|
||||
|
@ -375,6 +377,10 @@ $ openssl rsa -pubout -in private_key.pem -out public_key.pem
|
|||
<li>Resolution rule: Perl expression that will be evaluate to know if
|
||||
this IDP is the default for the connected user. You can use for example
|
||||
$ENV{ to get user's IP.</li>
|
||||
|
||||
<li>Allow login from IDP: allow a user to connect directly from an IDP
|
||||
link. In this case, authentication is not a response to an issued
|
||||
authentication request, and we have less control on conditions.</li>
|
||||
</ul>
|
||||
|
||||
<h3 class="heading-1-1"><span id="HPartnerIDPconfiguration">Partner IDP
|
||||
|
|
|
@ -60,7 +60,7 @@ sub cstruct {
|
|||
. ":samlIDPMetaDataXML:filearea",
|
||||
samlIDPMetaDataOptions => {
|
||||
_nodes => [
|
||||
qw(samlIDPMetaDataOptionsNameIDFormat samlIDPMetaDataOptionsForceAuthn samlIDPMetaDataOptionsAllowProxiedAuthn samlIDPMetaDataOptionsSSOBinding samlIDPMetaDataOptionsSLOBinding samlIDPMetaDataOptionsResolutionRule)
|
||||
qw(samlIDPMetaDataOptionsNameIDFormat samlIDPMetaDataOptionsForceAuthn samlIDPMetaDataOptionsAllowProxiedAuthn samlIDPMetaDataOptionsSSOBinding samlIDPMetaDataOptionsSLOBinding samlIDPMetaDataOptionsResolutionRule samlIDPMetaDataOptionsAllowLoginFromIDP)
|
||||
],
|
||||
samlIDPMetaDataOptionsNameIDFormat =>
|
||||
"text:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsNameIDFormat",
|
||||
|
@ -74,6 +74,8 @@ sub cstruct {
|
|||
"text:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsSLOBinding",
|
||||
samlIDPMetaDataOptionsResolutionRule =>
|
||||
"textarea:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsResolutionRule",
|
||||
samlIDPMetaDataOptionsAllowLoginFromIDP =>
|
||||
"bool:/samlIDPMetaDataOptions/$k2/samlIDPMetaDataOptionsAllowLoginFromIDP",
|
||||
},
|
||||
}
|
||||
}
|
||||
|
@ -1103,6 +1105,7 @@ sub defaultConf {
|
|||
'samlIDPMetaDataOptionsSSOBinding' => '',
|
||||
'samlIDPMetaDataOptionsSLOBinding' => '',
|
||||
'samlIDPMetaDataOptionsResolutionRule' => '',
|
||||
'samlIDPMetaDataOptionsAllowLoginFromIDP' => '1',
|
||||
}
|
||||
},
|
||||
samlServicePrivateKey => '',
|
||||
|
@ -1194,6 +1197,7 @@ sub subDefaultConf {
|
|||
'samlIDPMetaDataOptionsSSOBinding' => '',
|
||||
'samlIDPMetaDataOptionsSLOBinding' => '',
|
||||
'samlIDPMetaDataOptionsResolutionRule' => '',
|
||||
'samlIDPMetaDataOptionsAllowLoginFromIDP' => '1',
|
||||
},
|
||||
};
|
||||
}
|
||||
|
|
|
@ -206,6 +206,7 @@ sub en {
|
|||
samlIDPMetaDataOptionsForceAuthn => 'Force authentication',
|
||||
samlIDPMetaDataOptionsAllowProxiedAuthn =>
|
||||
'Allow proxied authentication',
|
||||
samlIDPMetaDataOptionsAllowLoginFromIDP => 'Allow login from IDP',
|
||||
samlIDPMetaDataOptionsSSOBinding => 'SSO binding',
|
||||
samlIDPMetaDataOptionsSLOBinding => 'SLO binding',
|
||||
samlIDPMetaDataOptionsResolutionRule => 'Resolution rule',
|
||||
|
@ -419,6 +420,8 @@ sub fr {
|
|||
samlIDPMetaDataOptionsForceAuthn => 'Authentification forcée',
|
||||
samlIDPMetaDataOptionsAllowProxiedAuthn =>
|
||||
'Authentification proxy autorisée',
|
||||
samlIDPMetaDataOptionsAllowLoginFromIDP =>
|
||||
'Authentification depuis le fournisseur autorisée',
|
||||
samlIDPMetaDataOptionsSSOBinding => 'Méthode SSO',
|
||||
samlIDPMetaDataOptionsSLOBinding => 'Méthode SLO',
|
||||
samlIDPMetaDataOptionsResolutionRule => 'Règle de résolution',
|
||||
|
|
|
@ -367,6 +367,16 @@ sub extractFormInfo {
|
|||
}
|
||||
}
|
||||
|
||||
# Check if we accept direct login from IDP
|
||||
my $allowLoginFromIDP =
|
||||
$self->{samlIDPMetaDataOptions}->{$idp}
|
||||
->{samlIDPMetaDataOptionsAllowLoginFromIDP};
|
||||
if ( !$assertion_responded and !$allowLoginFromIDP ) {
|
||||
$self->lmLog( "Direct login from IDP $idp is not allowed",
|
||||
'error' );
|
||||
return PE_ERROR;
|
||||
}
|
||||
|
||||
# Force redirection to portal if no urldc found
|
||||
# (avoid displaying the whole SAML URL in user browser URL field)
|
||||
$self->{mustRedirect} = 1 unless ( $self->{urldc} );
|
||||
|
|
Loading…
Reference in New Issue
Block a user