samlGotAuthnRequest cannot modify $login->request when signature validation is enabled
Concerned version
Version: 2.0.14
Summary
- Using the following plugin
package Lemonldap::NG::Portal::Plugins::ForceReauthn;
use Mouse;
use Lemonldap::NG::Portal::Main::Constants;
extends 'Lemonldap::NG::Portal::Main::Plugin';
use constant hook => { samlGotAuthnRequest => 'gotRequest', };
sub init {1;}
sub gotRequest {
my ( $self, $res, $login ) = @_;
$login->request->ForceAuthn(1);
return PE_OK;
}
1;
- When signature validation is enabled, reauthentication does not happen
Possible fixes
This is caused by the fact that processAuthnRequestMsg
is called twice: before the hook, and after the hook, if signature validation is enabled
We need to either run the hook after the second test, or rewrite the code to do only one processAuthnRequestMsg