Authenticating for a different domain using SAML_ALLOWED_HOSTS fails

[shadowbrush]

We are trying to configure our SSO SP for subdomains other than the one that receives the AssertionConsumerService POST. For example:

SAML_ALLOWED_HOSTS = ['b.example.com']
SAML_CONFIG = { 'service': { 'sp': { 'endpoints': { 'assertion_consumer_service': [('https://a.example.com/saml2/acs/', saml2.BINDING_HTTP_POST)]}}}}

We start the login with:

https://a.example.com/saml2/login/?next=https://b.example.com/dashboard&idp=idp-id

This performs the SSO correctly and forwards the user to https://b.example.com/dashboard as expected. But the user is not logged in there. They are logged in at https://a.example.com/dashboard.

It appears that the cookies are always saved to a.example.com.

Any ideas how to fix this? Thanks!

[peppelinux]

wow, I never had an idea like this in my life!

You can do something like this using a modified (inherited) samesite middleware

as you can see, for security reason, the session cookie domain is fixed here
https://github.com/IdentityPython/djangosaml2/blob/master/djangosaml2/middleware.py#L73

i suggest you, if you want in this way, to filter over a list of allowed domains before settings the cookie with the request domain dynamically

No, I want implement this in the mainline but I appreciate the "original" ideas like this one :)

[shadowbrush]

Thanks for your quick response, Giuseppe! If my company decides to add support for target domains I'll provide a PR for it.

[shadowbrush]

@peppelinux Here is the PR: #336

[peppelinux]

hi @shadowbrush, do you ahve any update on this issue?