Implement new SAML profile settings
Description
Environment
is related to
Activity
Scott Cantor February 28, 2023 at 4:39 PM
Adjusted original request decorator concept to align to pre-existing Function<MessageContext,Exception> hook I added to SAML login flow, moved to SAMLProfileConfiguration interface, and wired into all SAML flows.
Scott Cantor February 27, 2023 at 4:48 PM
RequestedAttributes implemented after much gnashing.
The V4 code had a lot of assumptions wired in around things such that “bad” data being decoded into String-valued IdPAttributes would trump anything else, and result a single Null value decoded, masking the code from falling down into looking directly at the native SAML Attributes.
The XMLObject transcoder likely would work now, but it would have to be manually configured to support the new requestedAttribute tag name, and I’ve tried to avoid needing transcoder rules for all the config tags. But it’s an option.
Scott Cantor February 23, 2023 at 8:32 PMEdited
Added support for SPNameQualifier, though overridden by SP request.
Added enforcement checking action to block ForceAuthn, SPNameQualifier, or NameID Format in requests.
TBD are RequestedAttributes, which are currently handled down in OpenSAML so will need new extension handler in IdP, and the Request Decorator feature.
A few new profile settings were added during the refactor for the SP that can be supported, mostly SSO related. They need to be implemented for proxied SSO, and in one case added to all of the SAML request issuing flows.