Introduce team-based SP entityIDs to allow IdPs with fixed entityID to serve more than one team.#1755
Merged
Introduce team-based SP entityIDs to allow IdPs with fixed entityID to serve more than one team.#1755
Conversation
Contributor
Author
The most interesting part is this: So for IdPs expecting the old behavior, the auth request names the new finalize-login path. That shouldn't be too hard to fix, no? |
10 tasks
This reverts commit 17c22336940529a014d649e3d17eed6de6f1c05d.
This reverts commit 8c4316a034f3d248e8eeb4f1060a3ade21c9d467.
This reverts commit e0853d3a4a4a6ddbaf189eeff5c7633f62b016cf.
e0853d3 to
edfb77d
Compare
... as long as they really live in different teams!
More error info when looking up idps.
fisx
commented
Sep 13, 2021
julialongtin
approved these changes
Sep 13, 2021
Member
julialongtin
left a comment
There was a problem hiding this comment.
reviewed over wire. was fun!
Member
|
There are 4 failing tests (consistently across two CI runs): |
Contributor
Author
|
(at least some of) the failures are happening here: That's why I couldn't reproduce this locally. I'll think of a cheap way to abstract over the spar hostname. |
(not one that we falsely assume will always be configured.)
Contributor
Author
|
I also think this is ready to merge now, if concourse is done. But @julialongtin I wouldn't mind a second opinion on 379c56c... |
fisx
commented
Sep 13, 2021
Merged
fisx
added a commit
that referenced
this pull request
Sep 16, 2021
* document #1755 in spar-braindump.md * Fix: do not fail on registering same IdP entityID for *third* team. * Fix: do not allow authenticating same `UserRef` for two different teams. (didn't work before, not it throws an error.) * Flip the order of two commutative db calls. (idp by issuer is stored either in one or the other table, never in both, so this doesn't matter except for considerations as to which is most likely to fail and should therefore be tried last.) * Simplify code. `guardReplaceeV2` was never called, and what it checks is already checked in the beginning of `validateNewIdP`; `guardSameTeam` was either testing a tautology or a falsehood, depending on the call side, so it was easy to simplify. * Haddocks. * Don't use `-` in query params; use `_` instead. * Add failing integration test. * Cleanup: obey (optional) field order in cassandra insert. * More error info. * Whitespace. * Improve test coverage.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Support using a single IDP with a single EntityID to set up two teams. sets up a migration, and makes teamID + EntityID unique, rather than relying on EntityID to be unique. Required to support multiple teams in environments where the IDP software cannot present anything but one EntityID (E.G.: DualShield).
Checklist
make git-add-cassandra-schemato update the cassandra schema documentation.changelog.d.