2019-02-19 11:44
浏览 223


I've implemented the OneLogin PHP SAML library and everything works well, but have had someone ask if it's possible to be able to send the email address/username from the SP-initiated login to the IdP.

You see, at the moment the user's login flow would be coming to a login form on my site, entering their email address at which point the login form would see how their account is set to login and redirect accordingly (or show the password field if the user isn't authenticating by SAML or oAuth).

So that the request has come to send the email address the user has already entered on the SP form so it can pre-fill the form on the IdP side, meaning the user doesn't have to type the details twice.

I understand this can be done with the <saml:Subject> information within the AuthnRequest, but I cannot see any way of being able to modify that data with the OneLogin library.

I'm probably just missing something really obvious from the GitHub repo docs, so can anyone point me in the right direction? Is it possible to add subject info to the request?

The code used to initiate the login from SP to IdP is pretty simple:

$samlConfig = SamlEntities::getConfig($idpCode, $applicationCode);
$auth = new \OneLogin_Saml2_Auth($samlConfig);

The SamlEntities::getConfig just combines the SP and IdP information from the database and config files where they're stored.

So I imagine if it can be done, this'll be the place to do it.

  • 写回答
  • 好问题 提建议
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • dongxinjun3944 2019-03-11 21:22

    The SAML request doesn't contain a Subject. Appreciate you've requested the user enter their user id to perform home realm discovery, but that won't carry across to Onelogin in the SAML request.

    However, this might work for you OneLogin - OIDC - Implicit Flow - login_hint

    解决 无用
    打赏 举报

相关推荐 更多相似问题