Merged
Conversation
We introduced a change (ref: https://github.com/18F/identity-idp/pull/10095/files) that started storing the IALMAX ACR value when the IAL1 ACR value is sent with the minimum authn context comparison. Prior to this change the ACR value in the session would be IAL1. That commit and later commits introduced code that expected that ACR value to be IALMAX when an IALMAX request was made. That led to issues when an IALMAX request was made with the old code that stored the IAL1 value. Specifically issues occured in the SAML IDP controller when prompting to user to unlock their PII. This commit makes the code aware of the old approach as well as the new one and handling both. [skip changelog]
jmhooper
commented
Feb 22, 2024
| end | ||
|
|
||
| def ialmax_request_with_ial1_acr_and_pii_requested_and_locked? | ||
| requested_ial == 'ialmax' && |
Contributor
Author
There was a problem hiding this comment.
This method looks directly at the SAML request that is present here instead of at the AuthnContextResolver result so it is not affected by the 50/50 issue.
zachmargolis
approved these changes
Feb 22, 2024
jmhooper
added a commit
that referenced
this pull request
Feb 22, 2024
A previous change introduced a temporary fix to avoid a 50/50 state issue in the SAML controller (ref: #10141). That was intended to be temporary. Once it is deployed and stable the code can be removed. This change removes that code. [skip changelog]
jmhooper
added a commit
that referenced
this pull request
Feb 23, 2024
A previous change introduced a temporary fix to avoid a 50/50 state issue in the SAML controller (ref: #10141). That was intended to be temporary. Once it is deployed and stable the code can be removed. This change removes that code. [skip changelog]
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
We introduced a change (ref: https://github.com/18F/identity-idp/pull/10095/files) that started storing the IALMAX ACR value when the IAL1 ACR value is sent with the minimum authn context comparison. Prior to this change the ACR value in the session would be IAL1.
That commit and later commits introduced code that expected that ACR value to be IALMAX when an IALMAX request was made. That led to issues when an IALMAX request was made with the old code that stored the IAL1 value. Specifically issues occurred in the SAML IDP controller when prompting to user to unlock their PII.
This commit makes the code aware of the old approach as well as the new one and handling both.