Saml external provider redirects to "/" instead of IDP
huahaiy opened this issue · 1 comments
- Do you want to request a feature or report a bug?
bug
- What is the current behavior?
I have setup self hosted gotrue and git-gateway to control access to netlify cms area of my site, largely by following https://github.com/hfte/netlify-cms-with-selfhosted-gotrue-and-git-gateway
Everything works for email identify provider.
Then I tried to add SAML provider using our in-house IDP. I used netlify-identity-widget to correctly display the button to SAML external provider.
Clicking on the SAML provider button, everything works, up to the point where gotrue is supposed to direct the browser to the IDP site. Instead of redirecting to the IDP url that I set in GOTRUE_EXTERNAL_SAML_REDIRECT_URL, or to the <SingleSignOnService Location="..."> location in the fetched IDP metadata, it redirects to "/" instead. So the authentication on the IDP site cannot start.
A related thing that I find interesting about gotrue's Saml implementation is that the code actually checks for and only supports HTTP-Redirect binding, but not HTTP-POST binding to IDP like most service providers I have seen do. I find this decision unusual because POST has much less uncertainty to deal with in a potentially complex Web environment, where there's usually a bunch of proxying and redirecting going on.
In any case, I am not sure this Saml feature is supported as it is not documented. However, the code is there and mostly works.
- If the current behavior is a bug, please provide the steps to reproduce.
Setup self hosted gotrue and git-gateway, and set GOTRUE_EXTERNAL_SAML_* related variables in .env.
- What is the expected behavior?
After fetching SAML metadata of the IDP, gotrue is supposed to redirect the browser to the IDP so the user can authenticate there.
- Please mention your Go version, and operating system version.
go version go1.14.1 linux/amd64
gotrue version b970723
Turned out it's the signing pem parsing error, but no error message is reported. The error was silently ignored.