Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use entitlements for activation routes #494

Open
phavekes opened this issue Dec 1, 2024 · 6 comments
Open

Use entitlements for activation routes #494

phavekes opened this issue Dec 1, 2024 · 6 comments
Labels
Imported self service token without vetting

Comments

@phavekes
Copy link
Member

phavekes commented Dec 1, 2024

This issue is imported from pivotal - Originaly created at Jul 7, 2023 by Pieter van der Meulen

As an institution, I want to control which users are allowed to register Self Asserted Token (SAT) of visit the Service Desk for token activation and which users are allowed to request tokens that are vetted the service desk. For this, we want to use the SAML attribute [`urn:mace:dir:attribute-def:eduPersonEntitlement`](https://wiki.surfnet.nl/display/surfconextdev/Attributes+in+SURFconext#AttributesinSURFconext-eduPersonEntitlementEntitlements).

We recognize two string values for eduPersonEntitlementEntitlement, their actual values must be configurable in the SS configuration. E.g.:

  • urn:mace:surf.nl:surfsecureid:activation:self
  • urn:mace:surf.nl:surfsecureid:activation:ra

(Let's use the same names and values as the config parameters for preferred_activation_flow_name and preferred_activation_flow_options)

If the self entitlement is present, the user is only allowed to self-activate his token
If the ra entitlement is present, the user is only allowed to visit the servicedesk for token activation

If both or non of the entitlements are present, both activation routes are allowed.

The query-parameter-hints (i.e. https://selfservice/?activate=ra and https://selfservice/?activate=self) from see: https://www.pivotaltracker.com/n/projects/1163646/stories/181966790 must still be taken into account when none or both entitlements are present, but the entitlements overrule the query-parameter hint.

If applying the constraints from entitlement would result in no options being available for a user, act as if no entitlements are set. This can happen when a user already has a vetted token, but they only have the urn:mace:surf.nl:surfsecureid:activation:self entitlement.

eduPersonEntitlement is a multi-valued attribute an my contain other entitlement values besides those configured for self and ra. These other entitlement values must be ignored by the application.
@phavekes phavekes self-assigned this Dec 1, 2024
@phavekes phavekes added this to Stepup Dec 1, 2024
@github-project-automation github-project-automation bot moved this to New in Stepup Dec 1, 2024
@phavekes
Copy link
Member Author

phavekes commented Dec 1, 2024 

@pmeulen I\'ve two questions regarding this story.
  • What should we do if entitlements are set but are not valid, for example: urn:mace:surf.nl:surfsecureid:activation:invalid?
  • I don't understand: If applying the constraints from entitlement would result in no options being available for a user, act as if no entitlements are set. .
    Because that seems to contradict the rules when a flow should be allowed.
    (bstrooband - Oct 30, 2024)

@phavekes
Copy link
Member Author

phavekes commented Dec 1, 2024

What should we do if entitlements are set but are not valid, for example: urn:mace:surf.nl:surfsecureid:activation:invalid?

There could be other entitlement values set. I wouldn't call these "invalid". Entitlement values that do not match the configured ones must not have any effect. (Pieter van der Meulen - Oct 30, 2024)

@phavekes
Copy link
Member Author

phavekes commented Dec 1, 2024

I meant invalid in the context of this story, but fair enough. (bstrooband - Oct 30, 2024)

@phavekes
Copy link
Member Author

phavekes commented Dec 1, 2024

I don't understand: If applying the constraints from entitlement would result in no options being available for a user, act as if no entitlements are set.

There are rules for when a user is allowed self-service registration. E.g. if a user once had a token, they are no longer allowed to self-register. See the registration flows: https://www.plantuml.com/plantuml/proxy?src=https://raw.githubusercontent.com/wiki/OpenConext/Stepup-Deploy/ApplicationFlows/SS-2ndfactor.plantuml

This remark is meant as a catch-all. If the entitlements only allow one route, e.g. self-service registration, but this registration option is not allowed by the registration rules, then a user may not have any options to register and would be stuck. This is not something that we want, so if such a situation occurs, ignore the entitlements and show all the options that are allowed by the registration flow. The registration flow is designed such that there is always a way out for the user. (Pieter van der Meulen - Oct 30, 2024)

@phavekes
Copy link
Member Author

phavekes commented Dec 1, 2024 

@pmeulen what should I do with this?

OpenConext/Stepup-SelfService#336 (review) (bstrooband - Nov 4, 2024)

@phavekes
Copy link
Member Author

phavekes commented Dec 1, 2024

Makes sense and should be easy to implement. Add an option to configure this in the same place as where the entitelement values are configured, default to urn:mace:dir:attribute-def:eduPersonEntitlement. (Pieter van der Meulen - Nov 4, 2024)

@phavekes phavekes removed their assignment Dec 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Imported self service token without vetting
Projects
Stepup
Status: New
Milestone
No milestone
Development

No branches or pull requests
1 participant
@phavekes