sso not wotking when using VIP Auth Hub IDP initiated flow with custom signin UI
search cancel

sso not wotking when using VIP Auth Hub IDP initiated flow with custom signin UI

book

Article ID: 379216

calendar_today

Updated On:

Products

VIP Authentication Hub

Issue/Introduction

- When testing SSO with an IDP Initiated flow (VIP AuthHub acting as IDP), the sspsession cookie is not being processed and user is forced to login again.
- flowurl in the SAML app is configured to point to a Custom signin UI and not default AuthHub signin UI 

- Flow of Transaction: 

1) User login to the main portal protected by AuthHub and gets challenged by the custom signin UI and complete authentication. At this stage sspsession is generated and stored in browser cache (ssoMode tenant setting is set to "enabledCookie")
2) once portal loaded, there would be a new button for the new application where the user trigger the flow through IDP initiated URL from the authHub side 

https://<SSP-Ingress-Host>/<Tenant-Name>/saml/v1/idp/login?entityId=<samlEntityId of the SP application registered> 

3) Expectation is since the user was already logged in to the portal, SSO (through the sspsession) to be used when the IDP initiated URL is triggered and assertion is generated and sent to the ACS URL without the user having to logon again to AuthHub
 

Environment

SSP releases 3.x 

Resolution

- The following illustrates the processing by AuthHub when sso is triggered by SAML application:
 
* IDP initiated URL with SSP session cookie in the browser:
 
https://<SSP_HOST>/default/saml/v1/idp/login?entityId=<Entity_ID>
 
* IDP login - After basic validations on the request data, redirects to default signin UI or the custom flowurl configured in the application even though a valid session cookie exists. 
 
The default signin ui calls /auth/v1/authenticate. This is required to evaluate whether the current session (from cookie) is enough or any extra authentication is required 
 
(A different set of obligations could be configured for the SAML App apart from the the existing session AMR).
 
For instance, if the initial session is created with only PWD AMR and the SAML app is also configured only for PWD obligation, then the /auth/v1/authenticate call returns the below response:
 
{
   "flowState": "<<fs>>",
   "userName": "nbruce",
   "nextaction": "AUTH_ALLOWED",
   "data": { 
        "status": "OK",
        "message": "Reauthentication is not requried as no new factor found "
},
"authCompleteUrl": "https://<SSP_HOST>/default/oauth2/v1/authcomplete?x-flow-state=TTF5eTJwTHNLQ3RUblJWN1UxWUdDTDI1RGdDdzZicnlNdUxBUDBzREpXVDQwem9HMHZKMThvWUZSZVRySmhGWEt4TUlqWU00VGszbVZONVFxZC9EYVVmSTVyRGtSSFpITDkwbXB1Tkc0ZFhldE9vbGxhY043bTJjRG8zeVRvb3BLVHJVQUxuQXNFUDY1SEdHQy9sVFJVK0hwU0N5ZVhSdHgxRVdOTW8wbGlrMlUwSTFzVUlYem8reDR5MFcyWVJmaFdqcXdXajZXVHJUaUZzZUN5MkV5Zz09&X-CLIENT-TRANSACTION-ID=dfacf1c9-cef9-47fa-a1d5-4aebb980d306",
 
"additional": {
"userName": "nbruce",
"idpName": "internal",
"idpGuid": "internal",
"idpType": "internal",
"passwordResetURL": "",
"authLevelsData": {},
"currentFactorLevel": 1,
"amrForCompletedFactors": 
 
[
                       "PWD" 
],
 
"signinExpMins": 60
     }
}
 
* And the out of the box  signin ui reads "authCompleteURL" as the nextaction is "AUTH_ALLOWED" and redirects to the value of authCompleteURL attribute in the response which is "/oauth2/v1/authcomplete".
/oauth2/v1/authcomplete (with query parameters) -> Generates the SAML Assertion and post to SAML Assertion consumer URL configured in the SAML App.
 
- Now if a custom signin UI is to be used, you will need to ensure the following is satisfied:
     1. The SAML app should be created with the custom flowurl which will redirect to the Custom Login page 
     2. The custom signin UI must perform the authenticate (begin flow) without the subject in the body as follows 
   {
    "action": "authenticate",
    "ipAddress": "1.1.1.2",
    "channel": "web",
    "acrValues": []
}
 
When the sspsession cookie is submitted with this call, the response would have  "nextaction": "AUTH_ALLOWED"  after the validation of the session is successfully completed.
 
    3. The custom signin UI should be enhanced to consider "authCompleteURL" when the nextaction is "AUTH_ALLOWED" and redirects to the value of authCompleteURL attribute in the response.