Good morning! I'd like to gather some opinions on the following implementation idea. I'm planning to create a facade for the SessionStore called StackableSessionStore. The purpose of this facade is to handle the storage of the TST (Ticket Storage Token) in a new session object that won't be transmitted via cookies. However, it should still be able to retrieve the TST when needed.
To kickstart the process, my plan is to introduce a new puppeteer scenario. I believe the best location for it would be in ci/tests/puppeteer/scenarios/saml2-idp-login-concurrent. Here's the outline of my plan: 1. Reproduce the scenario in the test. 2. Rebuild the SessionStore component, ensuring it stores a new session backed by the TicketRegistry. This involves copying the data from the previous session and preventing the cookie from being returned to the client. 3. Retrieve the TST as a parameter. 4. Test the new scenario thoroughly. I would greatly appreciate any opinions or feedback on this approach. Thank you in advance! Miguel El jueves, 15 de junio de 2023 a las 10:35:48 UTC+2, Miguel Martínez De Espronceda Cámara escribió: > Dear Ray, Jerôme, > > I have asked colleagues in other universities and they reproduce the same > problem. We are interested in collaborate and propose an improvement to the > web flow. I have checked the code and as I see it I will need to change a > few core classes. At a minimum, I think that the solution will be to store > the SAMLrequest in a separate TST, which will be handled in the > AbstractSamlIdPProfileHandlerController. It could construct the redirect > URL including the ticket in a parameter to the callback url > named sessionIdInRequestAttribute. > > An example of the redirect to login will be the following (URL encoded): > > https://example.org/cas/login?service=https%3A%2F%2Fexample.org%2Fcas%2Fidp%2Fprofile%2FSAML2%2FCallback%3FentityId%3D{{SP_ENTITY_ID}}%26sessionIdInRequestAttribute%3D{{SESSIONID}} > > <https://example.org/cas/login?service=https%3A%2F%2Fexample.org%2Fcas%2Fidp%2Fprofile%2FSAML2%2FCallback%3FentityId%3D%7B%7BSP_ENTITY_ID%7D%7D%26sessionIdInRequestAttribute%3D%7B%7BSESSIONID%7D%7D> > > Once authenticated, the regular login flow will redirect the client to the > callback: > https://example.org/cas/idp/profile/SAML2/Callback?entityId= > <SP_ENTITY_ID>&sessionIdInRequestAttribute=<SESSIONID>&ticket=<SERVICE_TICKET> > > It seems that the code right now will process the request seamlessly from > this point. > > The the SSOSamlIdPProfileCallbackHandlerController will load the session > from this parameter, accorfing to the implementation of the > DistributedJEESessionStore. It is not possible for the standard > JEESessionStore, so this should only be applied in case of > cas.authn.saml-idp.core.session-storage-type=TICKET_REGISTRY. > > I do not know much about the implicatins in the other SAML profiles but > seems coherent. > > To do that, an approach is to modify the DistributedJEESessionStore and > the AbstractSamlIdPProfileHandlerController. Minimum of changes will be: > - implement the renewSession method of the sessionStore or define a new > method. Really I do not now if it should be a different method as the renew > meaing lets undefined if the previous session is destroyed. I think of it > as duplicateSession. > - call this method at the begining of request processing ( > autoConfigureCookiePath). > - optionally, do not send the session cookie to the client. > - destroy the TST once used (probably this is already done, I have to > check) > > What do you think? Is this the correct path to go? > > Best regards, > Miguel > > PD: I wrote in the other thread but it wasn't published. > > El lunes, 12 de junio de 2023 a las 11:03:52 UTC+2, Miguel Martínez De > Espronceda Cámara escribió: > >> Thank you, Ray. Best regards >> >> El viernes, 9 de junio de 2023 a las 18:39:53 UTC+2, Ray Bon escribió: >> >>> Miguel, >>> >>> This sounds like what Jérôme talked about in this thread >>> https://groups.google.com/a/apereo.org/g/cas-user/c/fNZ82V32sio/m/RKhi5VQCAQAJ?utm_medium=email&utm_source=footer >>> >>> Ray >>> >>> On Fri, 2023-06-09 at 05:03 -0700, Miguel Martínez De Espronceda Cámara >>> wrote: >>> >>> Notice: This message was sent from outside the University of Victoria >>> email system. Please be cautious with links and sensitive information. >>> >>> >>> Dear all, >>> >>> I am reaching out regarding the use of CAS 6.6.8 for serving SAML2 >>> requests. Currently, we are in the process of migrating our Google >>> integration from the deprecated Google-native integration to standard SAML2 >>> endpoints. To provide some context, the deprecated module was designed to >>> directly reply within the /cas/login endpoint without performing a >>> redirect. This approach deviates from the regular protocol integration, >>> which follows the bridge pattern as described in the following >>> documentation: >>> https://apereo.github.io/cas/6.6.x/protocol/Protocol-Overview.html#the-bridge >>> . >>> >>> During our migration, we have encountered what appears to be a general >>> bug in the SAML2 endpoints. We have observed that this endpoint saves the >>> SAMLauthn (SAML authentication) in the user session prior to redirection to >>> the login. Upon user login, the user is redirected to the SAML Callback >>> endpoint, which retrieves the SAMLauthn request from the session and >>> generates the SAMLresponse/assertion. >>> >>> While this process works smoothly when the user completes the flow >>> sequentially, we have encountered an issue when the user opens another >>> SSO-integrated application in a separate browser tab before logging in. In >>> this scenario, the controller overrides the SAMLauthn from the first tab >>> with the SAMLauthn from the second tab. Consequently, when the user logs in >>> on one of the tabs, it works correctly in the second tab but results in an >>> error in the first tab. >>> >>> I wanted to inquire if anyone else has experienced this issue and, if >>> so, how you resolved or worked around it. Any insights or suggestions would >>> be greatly appreciated. >>> >>> Thank you for your attention. >>> >>> Best regards, >>> Miguel >>> >>> *Este mensaje puede contener información confidencial. Si usted no es el >>> destinatario o lo ha recibido por error, por favor, bórrelo de sus sistemas >>> y comuníquelo a la mayor brevedad al remitente. Los datos personales >>> incluidos en los correos electrónicos que intercambie con el personal de la >>> Universidad de Navarra podrán ser almacenados en la libreta de direcciones >>> de su interlocutor y/o en los servidores de la Universidad durante el >>> tiempo fijado en su política interna de conservación de información. La >>> Universidad de Navarra gestiona dichos datos con fines meramente >>> operativos, para permitir el contacto por email entre sus >>> trabajadores/colaboradores y terceros. Puede consultar la Política de >>> Privacidad de la Universidad de Navarra en la dirección: * >>> *https://www.unav.edu/aviso-legal* <https://www.unav.edu/aviso-legal> >>> >>> >>> >>> *This email message may contain confidential information. If you are not >>> the intended recipient of this message or their agent, or if this message >>> has been addressed to you in error, please immediately alert the sender by >>> reply email and then delete this message and any attachments. The personal >>> information included in email messages exchanged with employees of the >>> University of Navarra may be stored in the database of your interlocutor >>> and/or the servers of the University for the time-period stipulated by its >>> internal information storage policy. The University stores such data for >>> purely administrative purposes, to facilitate e-mail contact between its >>> employees and third parties. The University of Navarra Privacy Policy may >>> be accessed at https://www.unav.edu/aviso-legal >>> <https://www.unav.edu/aviso-legal> * >>> >>> >>> >>> >>> *Antes de imprimir este mensaje o sus documentos anexos, asegúrese de >>> que es necesario. Proteger el medio ambiente está en nuestras manos. Before >>> printing this e-mail or attachments, be sure it is necessary. **It is >>> in our hands to protect the environment.* >>> >>> >> *Este mensaje puede contener información confidencial. Si usted no es el >> destinatario o lo ha recibido por error, por favor, bórrelo de sus sistemas >> y comuníquelo a la mayor brevedad al remitente. Los datos personales >> incluidos en los correos electrónicos que intercambie con el personal de la >> Universidad de Navarra podrán ser almacenados en la libreta de direcciones >> de su interlocutor y/o en los servidores de la Universidad durante el >> tiempo fijado en su política interna de conservación de información. La >> Universidad de Navarra gestiona dichos datos con fines meramente >> operativos, para permitir el contacto por email entre sus >> trabajadores/colaboradores y terceros. Puede consultar la Política de >> Privacidad de la Universidad de Navarra en la dirección: * >> *https://www.unav.edu/aviso-legal* <https://www.unav.edu/aviso-legal> >> >> >> >> *This email message may contain confidential information. If you are not >> the intended recipient of this message or their agent, or if this message >> has been addressed to you in error, please immediately alert the sender by >> reply email and then delete this message and any attachments. The personal >> information included in email messages exchanged with employees of the >> University of Navarra may be stored in the database of your interlocutor >> and/or the servers of the University for the time-period stipulated by its >> internal information storage policy. The University stores such data for >> purely administrative purposes, to facilitate e-mail contact between its >> employees and third parties. The University of Navarra Privacy Policy may >> be accessed at https://www.unav.edu/aviso-legal >> <https://www.unav.edu/aviso-legal> * >> >> >> >> >> *Antes de imprimir este mensaje o sus documentos anexos, asegúrese de que >> es necesario. Proteger el medio ambiente está en nuestras manos.Before >> printing this e-mail or attachments, be sure it is necessary. **It is in >> our hands to protect the environment.* >> > > *Este mensaje puede contener información confidencial. Si usted no es el > destinatario o lo ha recibido por error, por favor, bórrelo de sus sistemas > y comuníquelo a la mayor brevedad al remitente. Los datos personales > incluidos en los correos electrónicos que intercambie con el personal de la > Universidad de Navarra podrán ser almacenados en la libreta de direcciones > de su interlocutor y/o en los servidores de la Universidad durante el > tiempo fijado en su política interna de conservación de información. La > Universidad de Navarra gestiona dichos datos con fines meramente > operativos, para permitir el contacto por email entre sus > trabajadores/colaboradores y terceros. Puede consultar la Política de > Privacidad de la Universidad de Navarra en la dirección: * > *https://www.unav.edu/aviso-legal* <https://www.unav.edu/aviso-legal> > > > > *This email message may contain confidential information. If you are not > the intended recipient of this message or their agent, or if this message > has been addressed to you in error, please immediately alert the sender by > reply email and then delete this message and any attachments. The personal > information included in email messages exchanged with employees of the > University of Navarra may be stored in the database of your interlocutor > and/or the servers of the University for the time-period stipulated by its > internal information storage policy. The University stores such data for > purely administrative purposes, to facilitate e-mail contact between its > employees and third parties. The University of Navarra Privacy Policy may > be accessed at https://www.unav.edu/aviso-legal > <https://www.unav.edu/aviso-legal> * > > > > > *Antes de imprimir este mensaje o sus documentos anexos, asegúrese de que > es necesario. Proteger el medio ambiente está en nuestras manos.Before > printing this e-mail or attachments, be sure it is necessary. **It is in > our hands to protect the environment.* > -- *Este mensaje puede contener información confidencial. Si usted no es el destinatario o lo ha recibido por error, por favor, bórrelo de sus sistemas y comuníquelo a la mayor brevedad al remitente. Los datos personales incluidos en los correos electrónicos que intercambie con el personal de la Universidad de Navarra podrán ser almacenados en la libreta de direcciones de su interlocutor y/o en los servidores de la Universidad durante el tiempo fijado en su política interna de conservación de información. La Universidad de Navarra gestiona dichos datos con fines meramente operativos, para permitir el contacto por email entre sus trabajadores/colaboradores y terceros. Puede consultar la Política de Privacidad de la Universidad de Navarra en la dirección: **https://www.unav.edu/aviso-legal* <https://www.unav.edu/aviso-legal>**** ** ** *This email message may contain confidential information. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. The personal information included in email messages exchanged with employees of the University of Navarra may be stored in the database of your interlocutor and/or the servers of the University for the time-period stipulated by its internal information storage policy. The University stores such data for purely administrative purposes, to facilitate e-mail contact between its employees and third parties. The University of Navarra Privacy Policy may be accessed at https://www.unav.edu/aviso-legal <https://www.unav.edu/aviso-legal> ***** ** ** _Antes de imprimir este mensaje o sus documentos anexos, asegúrese de que es necesario. Proteger el medio ambiente está en nuestras manos. Before printing this e-mail or attachments, be sure it is necessary. _It is in our hands to protect the environment.__ -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a5386f8d-2628-46b3-937e-931ca183d048n%40apereo.org.
