Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SAML SSO Option: forceAuthn #1417

Closed
MordyT opened this issue May 27, 2020 · 5 comments
Closed

SAML SSO Option: forceAuthn #1417

MordyT opened this issue May 27, 2020 · 5 comments
Assignees
@Ylianst
Labels
Fixed - Please Verify & Close question

Comments

@MordyT
Copy link
Contributor

MordyT commented May 27, 2020

From: https://github.com/bergie/passport-saml

forceAuthn: if set to true, the initial SAML request from the service provider specifies that the IdP should force re-authentication of the user, even if they possess a valid session.

Is there a variable in mesh config that I can use to set this to false? Scanning through the code I see exactly 3 places this is mentioned - in the saml.js, in the readme.md, and in the passport-saml\test\tests.js
@Ylianst Ylianst self-assigned this May 27, 2020
@Ylianst
Copy link
Owner

Ylianst commented May 27, 2020
edited
Loading

Currently there is not config.json setting for this, but I can add it. In this case, the default is probably false already. If you want, I can add a setting for this. You can go in the code now and test any option you like by adding things to "options" at this location.

@MordyT
Copy link
Contributor Author

MordyT commented May 27, 2020

Gotcha. I'm still trying to debug why this 1 saml application requires re-auth and thought it might be that. I'll test and let you know.

@MordyT
Copy link
Contributor Author

MordyT commented May 28, 2020

@Ylianst
So after much testing...

I need an option for this:
disableRequestedAuthnContext
(and not the one I originally requested)

With ADFS, you want this to be true in order for SSO to not require re-authentication.

See: https://github.com/bergie/passport-saml
disableRequestedAuthnContext: if truthy, do not request a specific authentication context. This is known to help when authenticating against Active Directory (AD FS) servers.
And: node-saml/passport-saml#226

Here is what I did:
image

Not everyone is using ADFS, so I recommend it be an option in the SAML portion of the config.

@Ylianst
Copy link
Owner

Ylianst commented May 29, 2020

Nice! Thank you for that research, I would have never been able to find that. I added the new option in the sample-config-advanced.json. You have to remove the "_" and it should work. Will be in v0.5.47 when it's next published.

"saml": {
  "_callbackurl": "https://server/auth-saml-callback",
  "_disableRequestedAuthnContext": true, <---------
  "newAccounts": true,
  "_newAccountsUserGroups": [ "ugrp//xxxxxxxxxxxxxxxxx" ],
  "entityid": "meshcentral",
  "idpurl": "https://server/saml2",
  "cert": "saml.pem"
}

@MordyT
Copy link
Contributor Author

MordyT commented May 31, 2020

Working perfectly!

@MordyT MordyT closed this as completed May 31, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Ylianst Ylianst

Labels
Fixed - Please Verify & Close question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MordyT @Ylianst