SAMLY - How often/when should the pre_session_create_pipeline be called?

samly

#1

I am attempting to create a JWT within the pre_session_create_pipeline but, even after having logged out of the IDP (ADFS) to try and start a new session, it appears as though the pipeline isn’t being hit.

Should this be hit every time we come back from the IDP?

I have config like:

identity_providers: [
    %{
      id: "12345-12345-12345",
      sp_id: "ffwefe-ewfew-fwf-ewfw-fewf-ew",
      base_url: "https://my-website.com/sso",
      metadata_file: "priv/idp/metadata.xml",
      pre_session_create_pipeline: MyApp.PreSessionCreatePipeline,
      use_redirect_for_req: true,
      sign_requests: true,
      sign_metadata: true,
      signed_assertion_in_resp: true,
      signed_envelopes_in_resp: false
    }
  ]

Then the pipeline tries to create a JWT from the claims and throw it back as part of the URL. It looks like:

defmodule MyApp.PreSessionCreatePipeline do
  import Plug.Conn

  def init(opts), do: opts

  def call(conn, _opts) do
    IO.inspect "Hello, I'm in the plug..."

    active_assertion = conn.private[:samly_assertion]

    # User's GUID from AD
    resource = %{id: Samly.get_attribute(active_assertion, "objectidentifier")}

    claims = %{
      displayname: Samly.get_attribute(active_assertion, "displayname"),
      email: Samly.get_attribute(active_assertion, "name"),
      role: Samly.get_attribute(active_assertion, "Role Name")
    }

    opts = [ttl: {30, :minutes}]

    {:ok, token, _claims} = MyApp.Guardian.encode_and_sign(resource, claims, opts)

    target_url =
      "https://#{conn.host}/#{token}"
      |> URI.decode_www_form()

    conn
      |> fetch_session()
      |> put_session("target_url", target_url)
  end
end

The text “Hello, I’m…” is never displayed…

Thanks in advance

Rich


#2

It is called when samly receives the authenticated assertion as part of the authn response from IdP after the end user successfully authenticated. This pipeline is called before samly establishes a session.

How do you initiate the logout? Are you doing this from the SP or is this IdP initiated logout?


#3

The logout is initiated by the SP by hitting /sso/auth/signout/idp-id.

Seems as though the logout is working - if I hit the login process again it prompts for credentials.

I’m guessing the samly session is cleared down as part of that logout process?


#4

Wow.

I have to apologise - coming back at this with a fresh head, I noticed that the file I had merrily been uploading to my server (with the IO.inspect in) was named pre_session_pipline.ex - which obviously didn’t overwrite pre_session_pipeline.ex.

It works as expected :man_facepalming::man_facepalming::man_facepalming: