I'm currently integrating SAML 1.2.2 extension to iTop 3.2.2-1. Our IDP provider is an fairly old version of Forgerock, but I don't think this is related.
saml is configured as the first choice in 'allowed_login_type' so the authentication is 'transparent' to the user (except if he/she is following the links in the connection ber :))
The integration was succesful, and seems to work as expected: if anyone try a connection to an iTop URL and is not authenticated, then the user is validated by the idp and the connection to iTop ius validated.
But after validation, we always land on the defult iTop page, not on the initial link selected.
This is a little annoying, especially as some of my users memorizes complex link, nd then have to click twice on the link (first clik => authentication, then main page, second clik, as the user is already authenticated goes to the desired destination)
This is also true if the php session timeout is reach. In that case, if you click on any link inside iTop, you are sent back to the main page. I did extend the php timeout to hide this side effect.
It seems that iTop doens't send the return URL when querying the idp (not totaly sure, but this is what we saw in the networking tab on our navigator in debug mode).
Is that a known (or maybe unknown :)) limitation of this extension or is my configuration not OK ?
Thanks,
Pascal
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The SAML2 extension does what a good work, but, in my configuration, it couln't work.
My iTop instance is in a Kubernetes environment, and the ssl ofload is done on the ingress level (in other term, the iTop container runs in http). But the main iTop URL is still http://{my publication point}/pages/UI.php
Hi,
I'm currently integrating SAML 1.2.2 extension to iTop 3.2.2-1. Our IDP provider is an fairly old version of Forgerock, but I don't think this is related.
saml is configured as the first choice in 'allowed_login_type' so the authentication is 'transparent' to the user (except if he/she is following the links in the connection ber :))
The integration was succesful, and seems to work as expected: if anyone try a connection to an iTop URL and is not authenticated, then the user is validated by the idp and the connection to iTop ius validated.
But after validation, we always land on the defult iTop page, not on the initial link selected.
This is a little annoying, especially as some of my users memorizes complex link, nd then have to click twice on the link (first clik => authentication, then main page, second clik, as the user is already authenticated goes to the desired destination)
This is also true if the php session timeout is reach. In that case, if you click on any link inside iTop, you are sent back to the main page. I did extend the php timeout to hide this side effect.
It seems that iTop doens't send the return URL when querying the idp (not totaly sure, but this is what we saw in the networking tab on our navigator in debug mode).
Is that a known (or maybe unknown :)) limitation of this extension or is my configuration not OK ?
Thanks,
Pascal
OK nevermind.
The SAML2 extension does what a good work, but, in my configuration, it couln't work.
My iTop instance is in a Kubernetes environment, and the ssl ofload is done on the ingress level (in other term, the iTop container runs in http). But the main iTop URL is still http://{my publication point}/pages/UI.php
Then the SAML hook check if the requested URL is in the same scope than iTop, and finds a http://itop..... instead of https://itop.... and use use as a failsafe the configured https://itop..../pages/UI.php
A quik&dirty fix in 'SAMLLoginExtension.php' and volià!
Thanks,
Pascal