Conversation
… and ignoring unknown authn_context values
| end | ||
| end | ||
|
|
||
| def raise_unsupported_component_exception(component_value_name) |
There was a problem hiding this comment.
I'll remark here that this may be a deviation from the spec since we are accepting vectors we do not recognize that are not described by our trustmark. However, that may not be a huge deal since this API should be going away soon.
There was a problem hiding this comment.
thanks for that note! i could probably update it to only raise when vectors of trust are passed in, if you have any feelings about it! (although i think we are deviating from the spec in some ways anyways, like having implied vectors, and as you said, it's hopefully not long for our code base.)
| (requested_authn_contexts - | ||
| Saml::Idp::Constants::VALID_AUTHN_CONTEXTS).reject do |authn_context| | ||
| authn_context.match(req_attrs_regexp) | ||
| end.join(' ').presence |
There was a problem hiding this comment.
indentation is kinda funky here, WDYT of breaking this out into a variable?
| (requested_authn_contexts - | |
| Saml::Idp::Constants::VALID_AUTHN_CONTEXTS).reject do |authn_context| | |
| authn_context.match(req_attrs_regexp) | |
| end.join(' ').presence | |
| unmatched_contexts = Saml::Idp::Constants::VALID_AUTHN_CONTEXTS).reject do |authn_context| | |
| authn_context.match(req_attrs_regexp) | |
| end | |
| (requested_authn_contexts - unmatched_contexts).join(' ').presence |
There was a problem hiding this comment.
sure! updated in 52a697b (i pulled it into a separate method to make it easier to read)
ajfarkas
left a comment
ajfarkas
left a comment
There was a problem hiding this comment.
I think we should have a Login-wide position on whether we primarily focus on Partners (ie, breaking errors when they pass invalid values, with the assumption they test their integrations), or on End Users (ie, be as forgiving as possible with integrations within the bounds of the relevant specifications).
These kinds of questions pop up constantly.
| IdentityConfig.store.use_vot_in_sp_requests | ||
| end | ||
| authn_contexts.all? do |classref| | ||
| # SAML requests are allowed to "default" to the integration's IAL default. |
nprimak
left a comment
nprimak
left a comment
There was a problem hiding this comment.
Some very minor nitpicks, otherwise LGTM! Always excited to help unblock partners.
Co-authored-by: Nadya Primak <nadya.primak@gsa.gov>
Co-authored-by: Nadya Primak <nadya.primak@gsa.gov>
changelog: User-Facing Improvements, Integration Experience, Allowing and ignoring unknown authn_context values
5 participants
🎫 Ticket
Link to the relevant ticket:
Ignore unknown authentication contexts
Link to 1-pager
🛠 Summary of changes
This change updates our SAML integration to allow and ignore unknown authentication context class reference (ACR) values that are sent via the request, as long as there is at least one valid AuthnContext value that we can assert. (OIDC already allowed arbitrary values to be passed in.)
SAML spec line 1820
This change also:
Open questions:
I am currently handling the case of a partner passing in only unknown ACR values as invalid.
However, we do allow SAML partners to pass in no ACR values, in which case we use their service provider defaults, so an argument could be made that if we get only unknown ACR values, we should default to the SP's defaults.
My thinking is that if they are purposefully sending ACR values, that should override any defaults we have -- if they are only sending one, unknown ACR values that is more likely a mistake. Am open to arguments in favor/against this approach!
📜 Testing Plan
Provide a checklist of steps to confirm the changes.
make runmainIdP withmake runsign inAuthn context Unauthorized authentication contexterrormake runsign in