I'm trying to set up the following workflow:
User logs into app A.
App A bounces off a central simpleSAML instance to create a session.
User accesses app B.
App B bounces to the central simpleSAML instance to check for a session.
If a session exists, the user is returned to app B with their attributes and is authenticated on app B. This bit works.
If a session does not exist, the user should be returned to app B without a login attempt on the central instance. This bit does not work.
Is there a simpleSAML endpoint that could do this? I'm looking for a getSession or similar.
The desired setting is isPassive
. Example:
$auth_source = new \SimpleSAML_Auth_Simple('source_name');
$auth_source->requireAuth(array('isPassive' => true));
With the standard SimpleSAML IDP, this request will be authenticated as normal if the user is logged in on the IDP. If the user isn't, a SimpleSAML_Error_NoPassive
error will be returned. It's up to the SP to deal with this.