tenet-ac-za/simplesamlphp-module-sqlattribs

Unhandled exception

satdsk opened this issue · 5 comments

In my simplesamlphp after the idp configure the auth source updated with the following issue happening?

Unhandled exception

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
1 www/_include.php:45 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Exception: Invalid authentication source '50': First element must be a string which identifies the authentication source.
Backtrace:
6 lib/SimpleSAML/Auth/Source.php:491 (SimpleSAML_Auth_Source::validateSource)
5 lib/SimpleSAML/Auth/Source.php:296 (SimpleSAML_Auth_Source::parseAuthSource)
4 lib/SimpleSAML/Auth/Source.php:343 (SimpleSAML_Auth_Source::getById)
3 lib/SimpleSAML/Auth/Simple.php:56 (SimpleSAML\Auth\Simple::getAuthSource)
2 lib/SimpleSAML/Auth/Simple.php:160 (SimpleSAML\Auth\Simple::login)
1 modules/core/www/authenticate.php:36 (require)
0 www/module.php:135 (N/A)

This looks like you've configured an authproc filter in the wrong place. Authproc filters are configured as an array within the authsource, something like this:

$config = array(
    'authsourcename' => array(
        'saml:SP',
        // other authsource config
        'authproc' => array(
            50 => array(
                'class'  => 'sqlattribs:AttributeFromSQL',
                // other sqlattribs:AttributeFromSQL config
            ),
        ),
    ),
);

See https://simplesamlphp.org/docs/stable/simplesamlphp-authproc for more information on configuring authproc filters.

thanks for that i need to connect the mysql db after the ldap authentication done. is there any possible to do that?

What you're asking about will happen as a matter of course. The authproc filters' process function (and hence the call to PDO->connect) only run after authentication has succeeded and the initial attributes from your authentication source have been resolved.

However, if your question is whether there is a way to use information derived from the authentication source to configure the connection to the database, then the answer is no - that's not supported by this module. The database configuration happens within SimpleSAMLphp's configuration; it's not expected to be dynamically configured from attributes.

ok fine. after the ldap validation using this module i did the mysql validation like mfa but the seesion created after the ldap validation. is there any way to logout from the idp safely if the authentication fails. redirect them to the login page again like the incorrect username/password error like some custom errors.

This module merely adds attributes, it is not involved in authorisation decisions. I imagine that what you want to do would require a module capable of doing authorisation based on attributes - such as a variation on authorize:Authorize.

This might be a question better asked on one of the SimpleSAMLphp mailing lists.