Add ignoreScoping to OIDC.SSO properties
Description
Environment
Activity
Awesome. Thanks again!
Assuming you couldn’t get away with it globally depending on how you’re using it all, yes, just do a RelyingPartyByName for the upstream system and set it there (or use metadata-driven config and add it to the upstream’s metadata of course).
Oh, I am terribly sorry that I haven’t tried that in the first place. That’s actually a really smart idea!
In that case I could control whether the ignoreScoping is true or not based on a relying party override activation condition that checks whether the entityID/clientID is an URI or something like that. Thanks so much for clarifying this!
Yes, that’s the case. The setting isn’t about OIDC, it’s on the outbound handling of SAML2.SSO. I piggyback the settings inbound and outbound on the same profile because if they need to be different, usually that’s specific to a particular entityID peer anyway, Entra in this case.
My understanding is you should be able to set ignoreScoping on the SAML2.SSO profile configuration to stop the proxy (SAML authn.flow) including the scoping element when it builds the authentication request, even if you are using the OP (OIDC.SSO). Does that not work?
We have an issue proxying OIDC.SSO to Azure/Entra ID SAML with idp.authn.flows = SAML configured. The problem being that Microsoft requires the RequesterID to be an URI as described here:
SAMLAuthnConfiguration | A Note About Intra/Azure
As for out SAML2.SSO configuration this is not an issue because the RequesterID happens to be the SP EntityID but for OIDC.SSO it’s the client_id which can be a random generated id (and not an URI).
SAML2.SSO can be configured so that scoping isn’t proxied as described in above article as well as here:
ProfileConfiguration-SAML2SSO
(ignoreScoping)
but OIDC.SSO only allows proxiedAuthnInstant. I haven’t found a way to manipulate the RequesterID so that it is a valid URI or omit it altogether. Unless there’s something I oversee here I’d like to see this switch available for OIDC.SSO to remediate our problem.