Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Question] Can I verify the user input email and SAML response email in ACS? #372

Open
oakmegaeddie opened this issue Apr 12, 2023 · 1 comment

Comments

@oakmegaeddie
Copy link
Contributor

oakmegaeddie commented Apr 12, 2023

Hi, I am looking to implement SSO login using djangosaml2.

The login process is as follows:

  1. The user first inputs their email on our website, and then calls the SP server API.
  2. The SP server API then instructs the browser to redirect to the IdP.
  3. The user logs in on the IdP.
  4. The IdP POSTs ACS with email attributes in the SAML response.
  5. In the ACS, I have implemented a class called ModifiedSaml2Backend which inherits from Saml2Backend.
  6. Login is successful.

I need to verify whether the email that the user inputted (in step 1) is the same as the email in the SAML response (in step 4).
Is it possible to include the email in the SAML request (in step 2) and retrieve it in the ACS (in step 5)?

@peppelinux
Copy link
Member

you can just have the email attribute in your SP metadata as isRequired=True, then your ACS will receive this

otherwise the subject name id instead of transient or persistent could be set to email, but I suggest to you the first solution because is more flexible with different idp configurations, since not all the idp supports the email as subject id

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants