Project

General

Profile

Bug #7614

To help registration and password reset views, IdP should pass a next URL containing the nonce to the login page

Added by Benjamin Dauvergne about 4 years ago. Updated over 1 year ago.

Status:
Fermé
Priority:
Normal
Category:
-
Target version:
Start date:
17 Jun 2015
Due date:
% Done:

100%

Patch proposed:
No
Planning:
No

Description

When login page gets a nonce parameter and authentication succeed, it passes this nonce to the next URL so that for example an IdP can find the state linked to the received authentication request or check that an authentication event linked to a received request really happened. (it's needed for SAML if the forceAuthn flag is set or with CAS if the renew parameter is used).

If we want registration or password not to block authentications flow they must authenticate the user when their work is finished (done) and redirect to the next url view. Currently they do redirect but the nonce parameter is missing. To help them IdP should suffix the nonce parameter themselve. In the end we can even remove the nonce adding from the login view, so that IdP can even name this parameter however they want.

Associated revisions

Revision f69a74b1 (diff)
Added by Benjamin Dauvergne about 4 years ago

In SAML IdP makes need_login() directly set the nonce parameter in the return url (#7614)

When login page gets a nonce parameter and authentication succeed, it
passes this nonce to the next URL so that for example an IdP can find
the state linked to the received authentication request or check that an
authentication event linked to a received request really happened. (it's
needed for SAML if the forceAuthn flag is set or with CAS if the renew
parameter is used).

If we want registration or password not to block authentications flow
they must authenticate the user when their work is finished (done) and
redirect to the next url view. Currently they do redirect but the nonce
parameter is missing. To help them IdP should suffix the nonce parameter
themselve. In the end we can even remove the nonce adding from the login
view, so that IdP can even name this parameter however they want.

Revision fdce37fd (diff)
Added by Benjamin Dauvergne about 4 years ago

Make CAS IdP pass the nonce directly in the continue URL (fixes #7514)

When login page gets a nonce parameter and authentication succeed, it
passes this nonce to the next URL so that for example an IdP can find
the state linked to the received authentication request or check that an
authentication event linked to a received request really happened. (it's
needed for SAML if the forceAuthn flag is set or with CAS if the renew
parameter is used).

If we want registration or password not to block authentications flow
they must authenticate the user when their work is finished (done) and
redirect to the next url view. Currently they do redirect but the nonce
parameter is missing. To help them IdP should suffix the nonce parameter
themselve. In the end we can even remove the nonce adding from the login
view, so that IdP can even name this parameter however they want.

History

#1 Updated by Benjamin Dauvergne about 4 years ago

  • Description updated (diff)

#2 Updated by Benjamin Dauvergne about 4 years ago

  • % Done changed from 0 to 100
  • Status changed from Nouveau to Solution déployée

#3 Updated by Benjamin Dauvergne about 4 years ago

  • Status changed from Solution déployée to Résolu (à déployer)

#4 Updated by Benjamin Dauvergne over 3 years ago

  • Status changed from Résolu (à déployer) to Solution déployée

#5 Updated by Benjamin Dauvergne over 1 year ago

  • Status changed from Solution déployée to Fermé

Also available in: Atom PDF