pySAML2

SSO doesn't work when initiated from another SP

Bug #614804 reported by Lorenzo Gil Sanchez on 2010-08-07

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	pySAML2	Invalid	Undecided	Lorenzo Gil Sanchez

Bug Description

This is a bug in djangosaml2 at the moment.

If you start the login process from Django and then goes to a simpleSAMLphp based SP and starts the login everything works as expected and the second login is automatic, e.g., no credential are requested to the user.

But if you do it the other way around (start the login from simpleSAMLphp and then go to Django) the credential are requested again and the session is not shared between both SP. You have to the logout twice in this case.

Lorenzo Gil Sanchez (lgs) on 2010-08-07

Changed in pysaml2:
status:	New → Confirmed
assignee:	nobody → Lorenzo Gil Sanchez (lgs)

Revision history for this message

Roland Hedberg (roland-hedberg) wrote on 2010-08-08: Re: [Bug 614804] [NEW] SSO doesn't work when initiated from another SP

On 8/7/10 20:18, Lorenzo Gil Sanchez wrote:
> Public bug reported:
>
> This is a bug in djangosaml2 at the moment.
>
> If you start the login process from Django and then goes to a
> simpleSAMLphp based SP and starts the login everything works as expected
> and the second login is automatic, e.g., no credential are requested to
> the user.
>
> But if you do it the other way around (start the login from
> simpleSAMLphp and then go to Django) the credential are requested again
> and the session is not shared between both SP. You have to the logout
> twice in this case.
>
I'm not sure I regard this as a bug in djangosaml2.

At the same time I don't really understand why it happens, due to lack
of information.
I guess that the credentials produced when you first log-in to
simpleSAMLphp for some reason is regarded as unsuitable to send to Django.
It's a decision made by simpleSAMLphp and I have no insight into its
inner workings.

-- Roland

Revision history for this message

Lorenzo Gil Sanchez (lgs) wrote on 2010-08-08: Re: [Bug 614804] [NEW] SSO doesn't work when initiated from another SP

2010/8/8 Roland Hedberg <email address hidden>:
> On 8/7/10 20:18, Lorenzo Gil Sanchez wrote:
>> Public bug reported:
>>
>> This is a bug in djangosaml2 at the moment.
>>
>> If you start the login process from Django and then goes to a
>> simpleSAMLphp based SP and starts the login everything works as expected
>> and the second login is automatic, e.g., no credential are requested to
>> the user.
>>
>> But if you do it the other way around (start the login from
>> simpleSAMLphp and then go to Django) the credential are requested again
>> and the session is not shared between both SP. You have to the logout
>> twice in this case.
>>
> I'm not sure I regard this as a bug in djangosaml2.
>
> At the same time I don't really understand why it happens, due to lack
> of information.
> I guess that the credentials produced when you first log-in to
> simpleSAMLphp for some reason is regarded as unsuitable to send to Django.
> It's a decision made by simpleSAMLphp and I have no insight into its
> inner workings.
>

Actually you are right. I investigated this further today and I
realized it was neither pysaml2 or simpleSAMLphp bug, it was a bug in
my brain :-)

I was logging in simpleSAMLphp using an authentication mechanism
different from the one used when simpleSAMLphp is acting as an IdP and
hence there were two sessions involved.

Sorry for the noise. This bug is invalid.

Lorenzo Gil Sanchez (lgs) on 2010-08-08

Changed in pysaml2:
status:	Confirmed → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.