'Dynamically loading SAML settings.json based on custom property

I'm building a platform which needs to be able to support multiple SAML IdPs.

I'm using python3-saml.

Each IdP integration has it's own login page URL with some custom properties in the querystring to identify certain properties of that users visit. This approach is necessary in my instance to configure the user based on their first visit.

When the user clicks "Login" I send a quest to my server at [MYSERVERADDRESS]/sso2 which calls auth.login(returnUrl) and returns the MS Azure login address, I then forward the user to that URL, they log in and get forwarded to [MYSERVERADDRESS]/acs where I get the attributes.

The issue is that each of the IdPs has a different settings.json file. I keep each of these settings.json files in a seperate folder named with the id for the IdP implementation in my system (not the same as the entityId).

On visiting [MYSERVERADDRESS]/sso2 I can pick this id up by passing it in a json post or querystring params, but when the user is forwarded to [MYSERVERADDRESS]/acs I can't see any way to persist it and therefore I can't select the settings file based on that id.

TLDR: Is there any way to pass custom data (i.e. not the SAML response) to [MYSERVERADDRESS]/acs when the user is forwarded?

Worth noting that I don't have access to the IdP and so can't set up a custom property within the SAML response from there.

Thank you.

single-sign-onsamlldapyldavis


Solution 1:[1]

I was able to solve this using the RelayState. In the samples provided in the python3-saml documentation RelayState is a URL. However, ultimately it's just a string.

So in calling /sso2 I passed form data with a RelayState property in the same way as the SAML response passes a RelayState property when returning the user to \acs.

I was then able to pick up this RelayState property with relayStateFormData = request.form['RelayState'] at the start of the saml endpoint on my server.

Then instead of putting the returnUrl in the RelayState property I put a serialised json object containing the properties I want to maintain state for and deserialised it server side.

I can now pass any number of properties through all stages of the saml negotiation.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Doug

Related Questions

Rails authentication strategy

Login Failure: Pool is empty and connection creation failed

User Auth/Identity Service that takes care of social logins?

Logout from Keycloak does not logout Active Directory User

SNOWFLAKE - AZURE ACTIVE DIRECTORY Integration

Everytime I change my Microsoft Teams Tab's code the content of the tab does not change

React-router HashRouter When redirecting root URL with query parameters, route gets appended after params

Symfony 6 - CAS Bundle

Apache superset with Okta integration

Azure AD OIDC Single Sign-On with HashiCorp Vault - Interactive Login Prompt Not Appearing

How to enable sign-in with Google on Backstage?

How to enable sign-in with Google on Backstage?

SAML SP Metadata XML SSO, Recipient and Destination URLs

How to use the AWS Python SDK while connecting via SSO credentials

Best practice: Generate email link to bypass authentication