Uploaded image for project: 'Identity Provider'
  1. Identity Provider
  2. IDP-1331

Support relying party groups in attribute resolver/filter

    XMLWordPrintable

    Details

      Description

      We seem to have a long history of bugs dating back to V2 around support for SAML affiliations in the old pairwise data connectors. I don't see any sign we handled it correctly in V2 in the computed case, but there was a bug fix to handle them in the stored case.

      I didn't implement it in the V3 port, but when the underlying code is invoked for NameID generation it does get done correctly.

      I looked into this because of the discussion around whether the OIDC sub claim should come from the resolver or a clone of the NameID generation service, and I would rather it be handled in the resolver for consistency and to further deprecate NameIDs and anything that looks like them.

      I think my conclusion is that I'd rather leave the SAML flows alone and not populate any notion of "groups" of RPs in the resolver but we should define a way to carry it and then have the Computed/Stored connectors honor it. Then the OIDC flows can populate that from the sector identifier and all should be well.

        Attachments

          Activity

            People

            Assignee:
            cantor.2@osu.edu Scott Cantor
            Reporter:
            cantor.2@osu.edu Scott Cantor
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour, 15 minutes
                1h 15m