SAMLY - How often/when should the pre_session_create_pipeline be called?

I am attempting to create a JWT within the pre_session_create_pipeline but, even after having logged out of the IDP (ADFS) to try and start a new session, it appears as though the pipeline isn’t being hit.

Should this be hit every time we come back from the IDP?

I have config like:

identity_providers: [
      id: "12345-12345-12345",
      sp_id: "ffwefe-ewfew-fwf-ewfw-fewf-ew",
      base_url: "",
      metadata_file: "priv/idp/metadata.xml",
      pre_session_create_pipeline: MyApp.PreSessionCreatePipeline,
      use_redirect_for_req: true,
      sign_requests: true,
      sign_metadata: true,
      signed_assertion_in_resp: true,
      signed_envelopes_in_resp: false

Then the pipeline tries to create a JWT from the claims and throw it back as part of the URL. It looks like:

defmodule MyApp.PreSessionCreatePipeline do
  import Plug.Conn

  def init(opts), do: opts

  def call(conn, _opts) do
    IO.inspect "Hello, I'm in the plug..."

    active_assertion = conn.private[:samly_assertion]

    # User's GUID from AD
    resource = %{id: Samly.get_attribute(active_assertion, "objectidentifier")}

    claims = %{
      displayname: Samly.get_attribute(active_assertion, "displayname"),
      email: Samly.get_attribute(active_assertion, "name"),
      role: Samly.get_attribute(active_assertion, "Role Name")

    opts = [ttl: {30, :minutes}]

    {:ok, token, _claims} = MyApp.Guardian.encode_and_sign(resource, claims, opts)

    target_url =
      |> URI.decode_www_form()

      |> fetch_session()
      |> put_session("target_url", target_url)

The text “Hello, I’m…” is never displayed…

Thanks in advance


It is called when samly receives the authenticated assertion as part of the authn response from IdP after the end user successfully authenticated. This pipeline is called before samly establishes a session.

How do you initiate the logout? Are you doing this from the SP or is this IdP initiated logout?

The logout is initiated by the SP by hitting /sso/auth/signout/idp-id.

Seems as though the logout is working - if I hit the login process again it prompts for credentials.

I’m guessing the samly session is cleared down as part of that logout process?


I have to apologise - coming back at this with a fresh head, I noticed that the file I had merrily been uploading to my server (with the IO.inspect in) was named pre_session_pipline.ex - which obviously didn’t overwrite pre_session_pipeline.ex.

It works as expected :man_facepalming::man_facepalming::man_facepalming:

1 Like