Call 2 IDP in sequence (or call another web app after succesfull IDP login)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Call 2 IDP in sequence (or call another web app after succesfull IDP login)

Paolo Dibitonto
Hello all,
sorry I'm really unskilled on this topic and I can't find alone a solution.
We have configured Shibboleth SP (3.0.4) and IDP (3.4.6) enabling 2 login
flows, X509 and Password.
Soon we will configure SP to use also an international IDP (SPID).
The problem is that we need to get the IDP released attributes (in
particular the fiscal code, an unique identifier in Italy) and check it
against a database, to see if the user can access the protected resource.
We will read fiscal code from the X509 certificate and from the SPID
response, so we need to check this code against the DB after the IDP
complete his process.
It's possible to call, from SP, another IDP/Web App, to make this check,
before redirect the user to the requested resource?
Thank you all in advance.




--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Call 2 IDP in sequence (or call another web app after succesfull IDP login)

Nate Klingenstein-5
RE: Call 2 IDP in sequence (or call another web app after succesfull IDP login)

Paolo,

 

Yes, it's possible to do all of that using the SP, but it will require some of the more esoteric configuration options.  One way would be to define the additional attribute and then use the SP's Attribute Resolver functionality:

 

https://wiki.shibboleth.net/confluence/display/SP3/AttributeResolver
 

If you could write static access control rules base on the attributes received, then you could just use Apache rules, but since you're checking against a database, a scriptlet in a language of your choice and the sessionHook and AttributeChecker should do the job:

 

https://wiki.shibboleth.net/confluence/display/SP3/ApplicationDefaults

https://wiki.shibboleth.net/confluence/display/SP3/Attribute+Checker+Handler

 

It's not particularly convoluted configuration, but there's a lot of it:

 

SAML response -> AuthnRequest for more at other IdP -> SAML response -> glue together -> send to scriptlet for evaluation |----> allow access

                                                                                                                                                                                   |

                                                                                                                                                                                   |

                                                                                                                                                                                   |

                                                                                                                                                                                   v

                                                                                                                                                                            deny access

 

The way in which you pass the x.509 data to the scriptlet is probably the most challenging piece.  There are several options depending on your platform, configuration, and workflow.

 

Alternatively, you could as you suggested put all this behind a single IdP and present it all in one assertion and use more standard access control mechanisms.  The challenge with that is the presumption that you control the IdP.  In any case, you'll need cooperative DB admins.

 

Take care,

Nate.

 

--------

 

The Art of Access ®

 

Nate Klingenstein | Principal

https://www.signet.id/

 

-----Original message-----
From: Paolo Dibitonto
Sent: Tuesday, December 3 2019, 2:40 am
To: [hidden email]
Subject: Call 2 IDP in sequence (or call another web app after succesfull IDP login)
 
Hello all,
sorry I'm really unskilled on this topic and I can't find alone a solution.
We have configured Shibboleth SP (3.0.4) and IDP (3.4.6) enabling 2 login
flows, X509 and Password.
Soon we will configure SP to use also an international IDP (SPID).
The problem is that we need to get the IDP released attributes (in
particular the fiscal code, an unique identifier in Italy) and check it
against a database, to see if the user can access the protected resource.
We will read fiscal code from the X509 certificate and from the SPID
response, so we need to check this code against the DB after the IDP
complete his process.
It's possible to call, from SP, another IDP/Web App, to make this check,
before redirect the user to the requested resource?
Thank you all in advance.




--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Call 2 IDP in sequence (or call another web app after succesfull IDP login)

Paolo Dibitonto
Hi Nate,
thank you, maybe all we need is just to configure the sessionHook (and
undestand how to read the X509 certificate).
Thanks againg!



--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]