Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does this support IDP initiated log-in? #67

Open
tathougies opened this issue Oct 11, 2020 · 4 comments
Open

Does this support IDP initiated log-in? #67

tathougies opened this issue Oct 11, 2020 · 4 comments

Comments

@tathougies
Copy link

Trying to use this with a custom app and Google GSuite. Things work when logging in via the /authreq endpoint, but not when I initiate from Google Admin. I get AccessDenied {_avReasons = [DeniedBadInResponseTos {deniedDetails = "not found"}]})

I believe this is because the SAML doesn't have an inResponseTo field:

_subjectConfirmations = [SubjectConfirmation {_scMethod = SubjectConfirmationMethodBearer, _scData = Just (SubjectConfirmationData {_scdNotBefore = Nothing, _scdNotOnOrAfter = "2020-10-10T23:04:52.166Z", _scdRecipient = URI {uriScheme = Scheme {schemeBS = "https"}, uriAuthority = Just (Authority {authorityUserInfo = Nothing, authorityHost = Host {hostBS = "scrubbed"}, authorityPort = Nothing}), uriPath = "/api/sso/0a27a1d1-8417-51dc-a135-6f24ca031402/authresp", uriQuery = Query {queryPairs = []}, uriFragment = Nothing}, _scdInResponseTo = Nothing, _scdAddress = Nothing})}]
@fisx
Copy link
Collaborator

fisx commented Oct 12, 2020

It does not: https://docs.wire.com/how-to/single-sign-on/trouble-shooting.html#why-does-the-auth-response-not-contain-a-reference-to-an-auth-request-also-can-i-use-idp-initiated-login

This package is more specific to its one bit user wire-server than originally intended. In fact, we are talking about moving it into the wire-server repo.

I will leave this issue open, because at the very least the error message should be more helpful.

@fisx
Copy link
Collaborator

fisx commented Oct 12, 2020

thanks @tathougies for reporting! are you thinking about using this seriously? if so you may want to plan in some time for library maintenance, but we're certainly interested in helping!

@tathougies
Copy link
Author

I am planning on using it seriously, at least as a starting point. HSaml2 is a nice support lib, but I don't have time to build out the entirety of SP functionality. Why not just contribute the library to the community and let people contribute instead of rolling it up. IMO, availability of these kinds of libraries makes the whole Haskell ecosystem better.

@fisx
Copy link
Collaborator

fisx commented Oct 12, 2020

I am planning on using it seriously, at least as a starting point. HSaml2 is a nice support lib, but I don't have time to build out the entirety of SP functionality. Why not just contribute the library to the community and let people contribute instead of rolling it up. IMO, availability of these kinds of libraries makes the whole Haskell ecosystem better.

we'll consider this!

it's just that currently, the library has only one use case, and you can tell that from the code. in this situation, having a library just makes it harder to change code.

but if you're thinking of contributing, that changes things, and it will be a better deal for us to keep it here, and help turning it into something more mature. :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tathougies @fisx