Home → Admin Manual → HelpSpot Hacks → Disable Access Keys and Force SAML Login on the Portal

15.1. Disable Access Keys and Force SAML Login on the Portal

Use case: You have SAML + Require Authentication enabled on the portal and want to prevent customers from bypassing SAML via access key links in email notifications.

Prerequisites

Portal Login Type set to SAML (Admin > Settings > Authentication)
Require Authentication enabled (Admin > Settings > Portal)

The Problem

HelpSpot sends access key links in email notifications (e.g. ?pg=request.check&id=12345abc). These links let customers view and update requests without logging in, even when SAML + Require Auth is enabled.

The Fix

Customize the request.check.tpl.php template to redirect unauthenticated users to SAML login instead of accepting access keys.

Step 1: Open the template

Go to Admin > Customize > Portal Templates and select request.check.tpl.php.

Step 2: Make three changes

Change A — Add SAML redirect at the top

Find this block near the top (after the header/navigation includes):

<?php if ($this->splugin('Request_Check', 'accessKeyIsValid', $this->get_id)) { ?>
    <h1><?php echo lg('lg_portal_accessidheader') ?> : <?php echo $this->get_id ?></h1>
    <?php include $this->loadTemplate('loginbar.tpl.php'); ?>
    <br />
    <?php echo lg('lg_portal_accessnote') ?>
    <br /><br />
<?php } elseif ($this->requireAuth) { ?>
    <h1><?php echo lg('lg_portal_loginrequired') ?></h1> <br />
<?php } else { ?>
    <h1><?php echo lg('lg_portal_checkrequest') ?></h1> <br />
<?php } ?>

Replace with:

<?php
// Force SAML login — no access key bypass
if (!$this->splugin('Request_Check', 'isLoggedIn')) {
    $route = str_replace('/index.php/', '/', route('saml2_login', 'hs'));
    header('Location: ' . $route);
    exit;
}
?>

<h1><?php echo lg('lg_portal_checkrequest') ?></h1> <br />

Change B — Replace access key validation with login check

Find this line (appears twice in the template):

<?php if ($this->splugin('Request_Check', 'accessKeyIsValid', $this->get_id)) { ?>

Replace both occurrences with:

<?php if ($this->splugin('Request_Check', 'isLoggedIn')) { ?>

Change C — Remove the access key form

Find the <?php } else { ?> block near the bottom that contains the access key input form and login form. Replace the entire block (from <?php } else { ?> to its closing <?php } ?>) with:

<?php } else { ?>
    <p>Redirecting to login...</p>
    <?php
    $route = str_replace('/index.php/', '/', route('saml2_login', 'hs'));
    header('Location: ' . $route);
    exit;
    ?>
<?php } ?>

Step 3: Save

Click Save in the template editor.

Step 4: Test

Open an access key link in an incognito window — should redirect to SAML login
Visit /index.php?pg=request.check with no ID — should redirect to SAML login
Log in via SAML — should see request history normally

Note about email notifications

Access key links in email notifications will now redirect to SAML login instead of showing the request directly. Consider updating your email templates to change the link text to something like "Log in to view your request."

Reverting

Go to Admin > Customize > Portal Templates, select request.check.tpl.php, and click Revert to Default.

This page was: Helpful | Not Helpful

Disabling CSRF For A URL →