Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Option to automatically redirect to external IDP (SAML/OIDC)

See original GitHub issue

In most of our UAAs, we have two different user origins:

  • A federated IDP (i.e. SAML or OIDC) that is used by 99% of the users
  • The internal UAA database for technical users (these are users that are used for automation purposes - i.e. CI/CD stuff; this is because it is hardly possible to automate the federated logins which rely on browser redirects)

We now face the problem that when the federated users log in (which is 99% of the cases), they see the UAA’s login form and need to click on the saml/oidc login link. This is not a nice user experience. We like to skip this step and redirect the users directly to the single configured external IDP since this is the path 99% of the time (also since the technical users almost never need to login using the browser and never use this login form).

We’re aware that if we disable the internal user management this automatic redirect happens. But this is not desired since we still want to use the internal database for the technical users.

We implemented an ugly workaround on the LB that sits in front of the UAA - it just redirects every attempt to /login to the respective SAML login link. This gets even worse since this SAML login link contains the entity id which can differ for each UAA (so we need to adapt the rule for each UAA).

So we would like to introduce a option to make this possible: either with something like defaultOnWebLogin: true that can be set on saml/oidc provider level or a global redirectToExternalIdp: true (that only redirects automatically if there is only one external idp configured). Or maybe extend the IDP discovery page that it automatically redirects if there’s only one external IDP?

It might sound like an edge case; but it’s probably how a lot of enterprise customers have configured their UAAs.

Would you welcome a PR that adds this option?

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Reactions:8
  • Comments:16 (11 by maintainers)

github_iconTop GitHub Comments

tack-sapcommented, Sep 20, 2018

Hi Mathias, from UAA side the fallback does work when performing a password grant. However it seems that the CLI does not get to the point where it tries to perform a password grant, but gets a redirect to the IDP, when trying to get the login info from uaa. Looks like we missed this bug in combination with the CLI. I analyzed and created a bug for this:

Thanks for reporting the issue!

ebertmicommented, Apr 5, 2018

Any update on this?

Read more comments on GitHub >

github_iconTop Results From Across the Web

Redirect to IdP automatically for specific email domains
Another option is to use existing "Identity Provider Redirector" authenticator. However it seems that new authenticator implementation
Read more >
OIDC to SAML options? - openid - Stack Overflow
Client requests access to SP · SP redirects to an intermediary via Appropriate URL in SAML config · SAML intermediary redirects user to...
Read more >
Multiple authentication options for OpenSearch Dashboards
Users could either use basic authentication (username and password) or SSO with a single external SAML/OIDC identity provider (IdP).
Read more >
Enabling external identities | Identity-Aware Proxy
IAP will redirect unauthenticated requests it receives to this URL. Including your API key in the URL is optional. If you don't provide...
Read more >
Redirect Automatically to SSO IdP Authentication from the ...
If an instance is configured with an SSO Identity Provider (IdP) and the 'Auto-redirect IdP' option is enabled any non-logged in users accessing...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found