doutan2456 2019-02-19 11:44
浏览 229
已采纳

从SP发起的登录发送用户名到预填充IdP登录表单?

I've implemented the OneLogin PHP SAML library and everything works well, but have had someone ask if it's possible to be able to send the email address/username from the SP-initiated login to the IdP.

You see, at the moment the user's login flow would be coming to a login form on my site, entering their email address at which point the login form would see how their account is set to login and redirect accordingly (or show the password field if the user isn't authenticating by SAML or oAuth).

So that the request has come to send the email address the user has already entered on the SP form so it can pre-fill the form on the IdP side, meaning the user doesn't have to type the details twice.

I understand this can be done with the <saml:Subject> information within the AuthnRequest, but I cannot see any way of being able to modify that data with the OneLogin library.

I'm probably just missing something really obvious from the GitHub repo docs, so can anyone point me in the right direction? Is it possible to add subject info to the request?

The code used to initiate the login from SP to IdP is pretty simple:

$samlConfig = SamlEntities::getConfig($idpCode, $applicationCode);
$auth = new \OneLogin_Saml2_Auth($samlConfig);
$auth->login();

The SamlEntities::getConfig just combines the SP and IdP information from the database and config files where they're stored.

So I imagine if it can be done, this'll be the place to do it.

  • 写回答

1条回答 默认 最新

  • dongxinjun3944 2019-03-11 21:22
    关注

    The SAML request doesn't contain a Subject. Appreciate you've requested the user enter their user id to perform home realm discovery, but that won't carry across to Onelogin in the SAML request.

    However, this might work for you OneLogin - OIDC - Implicit Flow - login_hint

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?