We have setup SimpleSaml with Drupal 7 as an IP to allow users to login to a 3rd party service using their Drupal credentials. Everything seems to be working up to the point where the user is entering their credentials on the Drupal login page however, once they login, they are redirected to the SimpleSaml "Demo Example" page. (module.php/core/authenticate.php)
All their details are correct and they are clearly authenticated but the redirect back to the 3rd party site never happens. We have checked, the 3rd party is sending the correct (encoded) data including the AssertionConsumerServiceURL.
The question is to figure out how to make Drupal to redirect back to the 3rd party url.
Libraries used:
simpleSAMLphp version 1.11.0
drupalauth for SimpleSAMLphp 1.7+ and Drupal 7.x
drupalauth4ssp (which comes with the drupalauth module)
Config:
SimpleSaml 2
store.type: sql
auth as: drupal-userpass
Apache is configured correctly
We are on Centos
We have SSL offload implemented on our test environment which seems to be working ok
(Load balancer 443 offloads to Apache 80)
Content of authsources.php:
$config = array(
// This is a authentication source which handles admin authentication.
'admin' => array(
// The default is to use core:AdminPassword, but it can be replaced with
// any authentication source.
'core:AdminPassword',
),
'drupal-userpass' => array(
'drupalauth:External',
// The filesystem path of the Drupal directory.
'drupalroot' => '/var/www/html/',
// Whether to turn on debug
'debug' => TRUE,
// the URL of the Drupal logout page
'drupal_logout_url' => 'https://[drupal_domain]/user/logout',
// the URL of the Drupal login page
'drupal_login_url' => 'https://[drupal_domain]/user',
// Which attributes should be retrieved from the Drupal site.
'attributes' => array(
array('drupaluservar' => 'uid', 'callit' => 'uid'),
array('drupaluservar' => 'name', 'callit' => 'cn'),
array('drupaluservar' => 'mail', 'callit' => 'mail'),
array('drupaluservar' => 'field_user_firstname', 'callit' => 'givenName'),
array('drupaluservar' => 'field_user_lastname', 'callit' => 'sn'),
array('drupaluservar' => 'roles','callit' => 'roles'),
),
),
);
I am happy to post more info if required.
An old issue, but in case you haven't/didn't solve it. You should include the redirect URL into the RelayState SAML parameter
SAML request:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_b6a80234ed663a4a818be0e80326ed4e0217b2fae4"
Version="2.0"
IssueInstant="2015-09-23T23:18:03Z"
Destination="http://www.domain.com/saml_login/idp?destination=other_siteURL"
Drupal request:
www.domain.com/saml_login/idp?destination=other_siteURL (encode the destination)
Also you might need to remove some validations from the simplesamlphp Drupal module
i.e.
// See if a URL has been explicitly provided in ReturnTo. If so, use it (as long as it points to this site). ?>
if (( isset($_REQUEST['ReturnTo'] ) && $_REQUEST['ReturnTo']) &&
(valid_url( $_REQUEST['ReturnTo'] ) && stristr($_REQUEST['ReturnTo'], $base_url)))
Then Drupal will take you to: other_siteURL