Authentication persistence about laravel-saml2 HOT 35 OPEN

I actually figured it out (at least the case I had). The session middleware was not active which prevents the user data to be saved. This is because the library's assertion consumer service route by default is not within any middleware group. Check your saml2_settings.php, there should be a 'routesMiddleware' variable and adjust it accordingly. In my case I set it to 'routesMiddleware' => ['web'] which fixed the problem.

from laravel-saml2.

Got it working! Your question about Kernel.php was the issue. This app I'm working on uses quite a lot of extra middleware, I created a new dedicated 'session' middlewaregroup which only uses the session/cookie middleware, and we're up and running. Thanks!

from laravel-saml2.

the Middleware\StartSession is not enough, use :

In class App\Http\Kernel:

        'saml' => [
            \App\Http\Middleware\EncryptCookies::class,
            \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
            \Illuminate\Session\Middleware\StartSession::class,
        ],

from laravel-saml2.

Trying to follow the setup guide. I'm having issue registering the local user session. I created a SamlEventListener hooking it to Saml2LoginEvent. When the event is fired, the handle is properly trigerred so I'm executing Auth::login($laravelUser) which seems successful at that point. Although when the page is reloaded and the middleware executed, $this->auth->guest() returns true, going into an infinite loop. Any ideas?

from laravel-saml2.

Hello @ReArmedHalo, I think that you mustn't use the default web Middleware shortcut for your saml2 routes. You must define only the required middleware for that specific part which are not the same than the rest of your application.

With that approach, you can disable CSRF only for the SAML2 part and let it active on the rest of your app.

from laravel-saml2.

Hi John,

That's by design, we don't maintain any kind of session because it's not
part of saml. Like you said that method will return true only in the same
request if the response was valid (it can't tell without redirecting in
saml). We fire an event to announce the authentication, that's the hook in
which you usually open your local session (in memory, a database,
memcached, or create a token, we don't care) and implement your local
isAuthenticated to use in the middleware.
You also have the logout hooks so you can destroy that session too and keep
it in sync. There are a few hints on the readme.
Cheers
Alejandro
On May 16, 2016 1:06 PM, "John Riordan" [email protected] wrote:

Hi Alejandro

I've successfully integrated the library in Laravel 5.0, got the
login/redirecting working properly, but cannot access SSO session
persistence. What this means is that the isAuthenticated() function in
Saml2Auth.php returns true if it is executed in the same request where the
login process succeeds, but false at any other time, even if it's in the
next request immediately after the successful login.

This makes it very hard to design my middleware properly, because ideally
I would run the isAuthenticated() function as a check and only allow the
Saml2::login() to proceed when the isAuthenticated() function returns
false. However, it always returns false, thus causing infinite looping
redirects, because the login function is called on a valid session on all
requests after the initial login.

Have you had this problem before?

Thanks

John

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub
#39

from laravel-saml2.

I think you get the point 😄. With that approach you can split middleware logic and it's lighter.

from laravel-saml2.

@aacotroneo Yeah thanks for the suggestions, you have given me some good options... But after the event I am still being redirected to "/"... I thought was the library redirecting me but I will have a look.

from laravel-saml2.

I have the same problem on laravel 8. Tried all the variations of the saml middleware group in this thread and tried using the web middlegroup.

from laravel-saml2.

Found solution at last!
So, Auth::login($user) was not working for me even after trying everything. (Added middlewares, etc).
It worked for me after removing all dump(), var_dump(), die(), etc. from the Listener! :D

from laravel-saml2.

Hi Alejandro

Thanks very much for the quick response, very helpful.

Kind Regards

John

from laravel-saml2.

I'm also experiencing something similar, have setup as per the instructions, added a listener, everything works nicely by the looks of it - however it's in a constant redirect loop when I add the Auth::login($user) code into the listener as per the example displayed here.

from laravel-saml2.

Thanks! Yep got the web middleware active in the config file already.

I have in Listeners/ADFSLoginListener.php

public function handle(Saml2LoginEvent $event)
{

        $user = $event->getSaml2User();

        // user lookup code $laravel_user = ....

        Auth::login($laravel_user);

}

Routes look like this:

|        | POST                           | saml2/acs                                     | saml_acs      | Aacotroneo\Saml2\Http\Controllers\Saml2Controller@acs         | web                          |
|        | GET|HEAD                       | saml2/login                                   | saml_login    | Aacotroneo\Saml2\Http\Controllers\Saml2Controller@login       | web                          |
|        | GET|HEAD                       | saml2/logout                                  | saml_logout   | Aacotroneo\Saml2\Http\Controllers\Saml2Controller@logout      | web                          |
|        | GET|HEAD                       | saml2/metadata                                | saml_metadata | Aacotroneo\Saml2\Http\Controllers\Saml2Controller@metadata    | web                          |
|        | GET|HEAD                       | saml2/sls                                     | saml_sls      | Aacotroneo\Saml2\Http\Controllers\Saml2Controller@sls         | web                          |

If I disable the web middleware, I can dd the user details fine, it's picking up both the SAML attributes and the laravel_user I want to 'login'. But as soon as I enable the web middleware, it gets into a redirect loop between the /acs and the IDP going back and forth... not sure how to troubleshoot from here without pulling the whole lot apart.

from laravel-saml2.

Check the session store you use is working?
Can you send me your routes (i.e. web.php or wherever they are), the saml2_settings.php and Kernel.php ?

from laravel-saml2.

Hey I'm new to Laravel. Can Someone help me with LoginListener Event?? I'm confuse where to create it and how to call it. Thanks.

from laravel-saml2.

@gavinbenda, can you gave more details about your resolution ? I'm currently stuck in the redirect process...

My session id is not the same inside saml2/acs route than on my application home page after a successful authentication...

I've also applies that Middlewares on SAML2 routes :

\Taskl\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,

What's the missing point... ?

from laravel-saml2.

@shulard I stuck my SAML2 routes inside the 'web' middleware.

Route::group(['middleware' => ['web']], function () {
....
});

from laravel-saml2.

Hello @gavinbenda,

Thanks for your message... My problem didn't come from the middlewares, now it works 😄.

from laravel-saml2.

I had this problem too. Solved it with the 'web' middleware in the saml2_settings.php configuration file. Perhaps it would be an idea to mention the 'web' middelware option for laravel 5.4 in the documentation ... I take it that this could be a very common pitfall for everybody using the library with Laravel 5.4+.

from laravel-saml2.

I was having the same issue, adding the web middle resolved the issue for me. However, I needed to comment out the VerifyCsrfToken middleware from App\Http\Kernal.php otherwise I got a "Sorry this page has expired" error, I am using Laravel 5.5. Anyone know how I can work around that? I obviously don't want to disable CSRF protection for all routes but I am not that advanced in Laravel to know how to solve this one :)

from laravel-saml2.

@shulard Thanks for the reply! I think I get what you are saying, I've added the below to my Kernel.php file

protected $middlewareGroups = [
    'web' => [ ... ],

    'saml' => [
        \Illuminate\Session\Middleware\StartSession::class,
    ],
];

And in my SAML2 settings file, under routesMiddleware I've set to $routedMiddleware => [ 'saml' ],

Is that accurate?

And just now in the config file in the repo here noticed it says Session middleware... Perhaps that detail could get added to the setup instructions?

from laravel-saml2.

I finally made it work !
For some reason, adding a group middleware for SAML didn't work either: sessions still didn't persist.
So I'm using the web middleware that I set into the saml2_settings config file.
Then, I got a problem with the CSRF verification. So I edited the VerifyCsrfToken middleware:

protected $except = [
    'saml/*'
];

It's working now...
Thanks all

from laravel-saml2.

Any change someone got it working with JWT?
I log the user in on the event listener but then the user is redirect to / and the token is not present anymore.

from laravel-saml2.

yep, the login event will give you the $userDataand after that you are on your own to do whatever you need with it (create a JWT in this case). If you are redirecting to / you can use session to preserve it, or POST it. If you need to send it to a SPA you might need some other strategy as ajax and SAML redirects don't play well.

from laravel-saml2.

@aacotroneo Yes, I got to the point where I create the JWT but after that it redirects me to somewhere else.. and yes, I have to pass it to a SPA

from laravel-saml2.

I mean.. after that event, the library doesn't do anything else... it's all your code. If you call Auth::login() or have an auth-middleware configured to redirect, it will redirect (try commenting out all the code in the function and it will die there).
To make the token available to the SPA you'll need to render the SPA with the token, or create some popup and send it with a message to the caller, or send it as a url param (or post if you have a server) and/or other... but all that goes outside the library.

from laravel-saml2.

@aacotroneo I got the login with JTW working, thanks!

Any idea about the logout? on the Saml2LogoutEvent we don't have any information about which user is logged out, so on the listener I can't know the user id for example, therefore, I can't invalidate the token.

from laravel-saml2.

I still got a problem with authentication persistence. I've set up a middleware group in App\Http\Kernel like @Cyrille37 suggested.

'saml' => [
            \App\Http\Middleware\EncryptCookies::class,
            \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
            \Illuminate\Session\Middleware\StartSession::class,
        ],

And I've also configure the routesMiddleware in saml2_settings.php

/**
   * which middleware group to use for the saml routes
   * Laravel 5.2 will need a group which includes StartSession
   */
    'routesMiddleware' => ['saml'],

But still, after login the Auth::check() still return false. Do I miss something ?

=========================================================
EDIT :
OK, I've found the problem. It is because my default guard in config/auth.php is set to api. After I changed it to web the auth can persist.

from laravel-saml2.

@Emad-Hamza Same here. Did you find the solution by any chance?

from laravel-saml2.

I have the same problem on laravel 8. Tried all the variations of the saml middleware group in this thread and tried using the web middlegroup.

I am facing this issue too with Laravel 8

from laravel-saml2.

I have the same problem on laravel 8. Tried all the variations of the saml middleware group in this thread and tried using the web middlegroup.

I am facing this issue too with Laravel 8

In my case, I was not storing the logged in user info in the db (because I didn't have one for my project). Created a db, stored the user info and problem solved.

auth()->login() and auth()->check() needs the user to be stored in the database.

from laravel-saml2.

hi, i am in laravel 7.0 and not persisted session eventLogin

my code:
“app/Providers/EventServiceProvider.php”:

“Kernel.php”

“web.php”
Route::middleware(['checkSaml'])->group(function () {
………
});
i need help!!!

from laravel-saml2.

hello, I am having the same issue.

app\Http\Kernel.php

'saml' => [
    \App\Http\Middleware\EncryptCookies::class,
    \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
    \Illuminate\Session\Middleware\StartSession::class,
    \Illuminate\View\Middleware\ShareErrorsFromSession::class,
]

Inside my EventServiceProvider

protected $listen = [
    Registered::class => [
        SendEmailVerificationNotification::class,
    ],
    SignedIn::class => [
        UserLoggedIn::class,
    ],
];

UserLoggedIn file

/**
     * Handle the event.
     *
     * @param  Slides\Saml2\Events\SignedIn  $event
     * @return void
     */
    public function handle(SignedIn $event)
    {
            $messageId = $event->auth->getLastMessageId();
            // your own code preventing reuse of a $messageId to stop replay attacks
            $samlUser = $event->auth->getSaml2User();
            $userData = [
                'id' => $samlUser->getUserId(),
                'attributes' => $samlUser->getAttributes(),
                'assertion' => $samlUser->getRawSamlAssertion()
            ];
    
            $searchUser = User::where('email', $userData['attributes']['email'])->first();
    
            if ($searchUser) {
                Auth::login($searchUser);
                Session::put('userData', "helloworld2");
            } else {
                $newUser = User::create([
                    'name' => $userData['attributes']['first_name'][0],
                    'email' => $userData['attributes']['email'][0],
                    'role' => 'admin',
                    'password' => bcrypt('password')
                ]);
    
                Auth::login($newUser);
                Session::put('userData', "helloworld");
            }
    
                Session::save();
        }

saml2.php
'routesMiddleware' => ['saml'],
Already tried the fixes stated above but to no avail

from laravel-saml2.

hello, I am having the same issue.

app\Http\Kernel.php

'saml' => [
    \App\Http\Middleware\EncryptCookies::class,
    \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
    \Illuminate\Session\Middleware\StartSession::class,
    \Illuminate\View\Middleware\ShareErrorsFromSession::class,
]

Inside my EventServiceProvider

protected $listen = [
    Registered::class => [
        SendEmailVerificationNotification::class,
    ],
    SignedIn::class => [
        UserLoggedIn::class,
    ],
];

UserLoggedIn file

/**
     * Handle the event.
     *
     * @param  Slides\Saml2\Events\SignedIn  $event
     * @return void
     */
    public function handle(SignedIn $event)
    {
            $messageId = $event->auth->getLastMessageId();
            // your own code preventing reuse of a $messageId to stop replay attacks
            $samlUser = $event->auth->getSaml2User();
            $userData = [
                'id' => $samlUser->getUserId(),
                'attributes' => $samlUser->getAttributes(),
                'assertion' => $samlUser->getRawSamlAssertion()
            ];
    
            $searchUser = User::where('email', $userData['attributes']['email'])->first();
    
            if ($searchUser) {
                Auth::login($searchUser);
                Session::put('userData', "helloworld2");
            } else {
                $newUser = User::create([
                    'name' => $userData['attributes']['first_name'][0],
                    'email' => $userData['attributes']['email'][0],
                    'role' => 'admin',
                    'password' => bcrypt('password')
                ]);
    
                Auth::login($newUser);
                Session::put('userData', "helloworld");
            }
    
                Session::save();
        }

saml2.php 'routesMiddleware' => ['saml'], Already tried the fixes stated above but to no avail

try something like this:

EventServiceProvider:

    protected $listen = [
        Registered::class => [
            SendEmailVerificationNotification::class,
        ],
        \Aacotroneo\Saml2\Events\Saml2LoginEvent::class => [
            Saml2Login::class
        ]
    ];

Saml2Login:

class Saml2Login
{

    public function __construct()
    {
        //
    }


    public function handle(\Aacotroneo\Saml2\Events\Saml2LoginEvent $event)
    {
        $user     = $event->getSaml2User();
        $userData = [
            'id'         => $user->getUserId(),
            'attributes' => $user->getAttributes(),
            'assertion'  => $user->getRawSamlAssertion(),
            'sessionIndex' => $user->getSessionIndex(),
            'nameId' => $user->getNameId()
        ];
        $laravelUser = User::firstOrCreate(
            [
                'email' => $userData["attributes"]["email"][0] ?? null,
            ],
            [
                'name' => $userData["attributes"]["first_name"][0] ?? null,
                'surname' => $userData["attributes"]["last_name"][0] ?? null,
                'sector_code' => $userData["attributes"]["sector"][0] ?? null,
            ]
        );
        // dd($user, $userData,$laravelUser);

        session(['sessionIndex' => $userData['sessionIndex']]);
        session(['nameId' => $userData['nameId']]);
        Auth::login($laravelUser);
    }
}

from laravel-saml2.

it's not working even if I saved in global session, I want the userData to be saved in session then later used it in controller. However, even if I logged using Event listener, I still get a null value when retrieving the Session in controller. All routes are in a group called 'saml' and in Kernel file, I've already added the StartSession class.

from laravel-saml2.