Support relying party groups in attribute resolver/filter
Basics
Logistics
Basics
Logistics
Description
We seem to have a long history of bugs dating back to V2 around support for SAML affiliations in the old pairwise data connectors. I don't see any sign we handled it correctly in V2 in the computed case, but there was a bug fix to handle them in the stored case.
I didn't implement it in the V3 port, but when the underlying code is invoked for NameID generation it does get done correctly.
I looked into this because of the discussion around whether the OIDC sub claim should come from the resolver or a clone of the NameID generation service, and I would rather it be handled in the resolver for consistency and to further deprecate NameIDs and anything that looks like them.
I think my conclusion is that I'd rather leave the SAML flows alone and not populate any notion of "groups" of RPs in the resolver but we should define a way to carry it and then have the Computed/Stored connectors honor it. Then the OIDC flows can populate that from the sector identifier and all should be well.
We seem to have a long history of bugs dating back to V2 around support for SAML affiliations in the old pairwise data connectors. I don't see any sign we handled it correctly in V2 in the computed case, but there was a bug fix to handle them in the stored case.
I didn't implement it in the V3 port, but when the underlying code is invoked for NameID generation it does get done correctly.
I looked into this because of the discussion around whether the OIDC sub claim should come from the resolver or a clone of the NameID generation service, and I would rather it be handled in the resolver for consistency and to further deprecate NameIDs and anything that looks like them.
I think my conclusion is that I'd rather leave the SAML flows alone and not populate any notion of "groups" of RPs in the resolver but we should define a way to carry it and then have the Computed/Stored connectors honor it. Then the OIDC flows can populate that from the sector identifier and all should be well.