saml2_settings::OPTION_DUAL_LOGIN_NO not always respected
danmarsden opened this issue · 0 comments
danmarsden commented
the should_login_redirect() function will sometimes initiate a redirect to saml when multiple auth methods are in use, so it should allow the normal process to occur.
Possible patch that fixes it (I'll review this further and look at a PR.)
diff --git a/auth/saml2/classes/auth.php b/auth/saml2/classes/auth.php
index 61aaedd3eff..ccb46466448 100644
--- a/auth/saml2/classes/auth.php
+++ b/auth/saml2/classes/auth.php
@@ -471,6 +471,14 @@ class auth extends \auth_plugin_base {
$saml = 0;
}
• // If ?saml=on even when duallogin is on, go directly to IdP.
• if ($saml == 1) {
• $this->log(__FUNCTION__ . ' redirecting due to query param ?saml=on');
• return true;
• }
+
• return false;
+
// Never redirect on POST.
if (isset($_SERVER['REQUEST_METHOD']) && ($_SERVER['REQUEST_METHOD'] == 'POST')) {
$this->log(__FUNCTION__ . ' skipping due to method=post');
@@ -519,12 +527,6 @@ class auth extends \auth_plugin_base {
return false;
}
• // If ?saml=on even when duallogin is on, go directly to IdP.
• if ($saml == 1) {
• $this->log(__FUNCTION__ . ' redirecting due to query param ?saml=on');
• return true;
• }
-
// Check whether we've skipped saml already.
// This is here because loginpage_hook is called again during form
// submission (all of login.php is processed) and ?saml=off is not