can context-check-intercept access the ACS URL ? how?

Losen, Stephen C. (scl) scl at virginia.edu
Wed Mar 28 07:58:44 EDT 2018 

Hi folks,

Sorry to answer my own question, but I just got into the slack admin dashboard for setting up SSO and they let you customize the entityID, so that is the solution.  Sorry for the noise...

Still curious, is the ACS URL from the AuthnRequest available in the ProfileContext (or whatever it's called)?  Could come in handy someday.

Stephen C. Losen
ITS - Systems and Storage
University of Virginia
scl at virginia.edu    434-924-0640


-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Losen, Stephen C. (scl)
Sent: Wednesday, March 28, 2018 7:41 AM
To: Shib Users <users at shibboleth.net>
Subject: can context-check-intercept access the ACS URL ? how?

Hi folks,

I am setting up SAML SSO for slack.  All slack instances have the same entityID: "https://slack.com".  However we have multiple instances whose URLs are (for example)  https://uvaXXX.slack.com and https://uvaYYY.slack.com.

If you login to slack with SAML SSO and your account does not exist, then slack invites you to self-create it. Slack support says this feature cannot be turned off.

We have learned that if the IDP returns ANY response to slack, even if it is empty, then slack assumes a successful SSO login.  The user is invited to self-create a slack instance account. So the IDP cannot simply withhold attributes in the attribute-filter, because the IDP still sends a response. If the response has no attributes, then the slack account creation form simply has no fields pre-filled.

We are using group membership (LDAP attr "isMemberOf") to control access. I wrote a context check intercept so that the IDP aborts the login if the user is accessing entityID https://slack.com and is not a member of the authorized group.  This works fine for one instance, but we are planning on multiple instances, each with its own authorized group in LDAP.  At this point I have a poor solution.  If you are a member of ANY authorized group, then you can login to ANY slack instance (and self-create your account if it doesn't exist yet).

Can anyone think of how I can improve my context check intercept?  I can't distinguish slack instances based on entityID, but the ACS URLs are all different.  Is the ACS URL somehow available to the intercept?  Any other ideas?

Yes, slack should fix their SP, but they don't seem to give a rip.

Stephen C. Losen
ITS - Systems and Storage
University of Virginia
scl at virginia.edu    434-924-0640


-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list