Login box (embedded in external portals outside IdP)
Paweł Pogoda
paw.pogoda at gmail.com
Tue May 6 05:37:16 EDT 2014
Hi!
Standard flow (login page hosted on IdP side):
GET https://www.localhost.com/private_page_url (user try to access private
web site page)
GET https://www.localhostsso.com/idp/profile/SAML2/Redirect/SSO?SAMLRequest=<samlReq>&RelayState=ss:mm:<hash>
(I believe this create session on IdP side)
GET https://www.localhostsso.com/idp/AuthnEngine
GET
https://www.localhostsso.com/idp/login_page.jsp?actionUrl=%2Fidp%2Fj_security_check(display
login page)
when user submit this login page (provide user/password):
POST https://www.localhostsso.com/idp/j_security_check
GET https://www.localhostsso.com/idp/profile/SAML2/Redirect/SSO
POST https://www.localhost.com/Shibboleth.sso/SAML2/POST (response to SP,
contains SAMLResponse & RelayState)
GET https://www.localhost.com/private_page_url (access private page)
I cannot POST data (user/password) - from embedded login box in
www.localhost.com to:
https://www.localhostsso.com/idp/j_security_check(because it will be
middle of the flow - there will be no session on IdP
side and I'v got error: No login context available, unable to return to
authentication engine
I also cannot prepare SAMLRequest: GET
https://www.localhostsso.com/idp/profile/SAML2/Redirect/SSO?SAMLRequest=
<samlReq>&RelayState=ss:mm:<hash>
because I don't know how to incorporate in it user/password to prevent
default behaviour -> display login page on IdP side instead user should be
autmatically logged in.
Best Regards
Pawel
2014-05-06 9:19 GMT+02:00 Peter Schober <peter.schober at univie.ac.at>:
> * Paweł Pogoda <paw.pogoda at gmail.com> [2014-05-06 09:13]:
> > What I want to achieve is embed two separate login box in protected
> > web sites - login process (setting user/password) should be started
> > on protected web sites and then data should be submitted to IdP. Is
> > it possible?
>
> Look at what your webbrowser does (so yes, it is possible).
>
> Some consider this phishing (as the subject is being mislead about
> where they're sending their credentials to), most consider this bad
> practice.
> -peter
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140506/c1244bf8/attachment-0001.html
More information about the users
mailing list