bugfix: Make sure we log the user out before reauthenticating.
When acting as a proxy, SimpleSAMLphp was re-authenticating the user in case the IdP that authenticated a user in a valid session was not included in the list of IdPs provided by an SP asking for authentication. Since we cannot use Single Sign On there, we should ask the user to logout before authenticating again, avoiding an inconsistent session with SPs associated to different IdPs. This resolves #84.
Showing
- modules/saml/dictionaries/proxy.definition.json 8 additions, 0 deletionsmodules/saml/dictionaries/proxy.definition.json
- modules/saml/dictionaries/proxy.translation.json 8 additions, 0 deletionsmodules/saml/dictionaries/proxy.translation.json
- modules/saml/lib/Auth/Source/SP.php 97 additions, 12 deletionsmodules/saml/lib/Auth/Source/SP.php
- modules/saml/templates/proxy/invalid_session.php 32 additions, 0 deletionsmodules/saml/templates/proxy/invalid_session.php
- modules/saml/www/proxy/invalid_session.php 69 additions, 0 deletionsmodules/saml/www/proxy/invalid_session.php
Loading
Please register or sign in to comment