Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Flexible filtering of trusted IdPs of SAML federation

Description

The task is to add flexible filtering of trusted IdPs of a federation configured as trusted as a part of Unity SAML authenticator.

We already have such a feature, allowing to exclude individual IdPs, given by their entityId. The additional mechanism shall be more dynamic, allowing for more flexibility:

  1. Configured as an MVEL expression, which will be evaluated per each of the IdPs in a federation

    1. the expression shall return true in case when IdP shall be trusted and false otherwise

    2. name of the control in Console: “Federation IdPs filter:“

    3. Tooltip: “If a filter is configured then all federation IdPs will be tested against it. Filter expression can use IdP attributes, as obtained from federation metadata, to decide whether to include it or not. If expression returns true the IdP will be trusted, and otherwise will be excluded.”.

  2. The individual exclusion rules take precedence, i.e. if an IdP is included by the MVEL expression, but also excluded individually, it should be effectively excluded.

MVEL Context for the expression shall contain 2 variables:

  • entityID - with SAML entity id as a value

  • attributes - a map indexed by attribute names as obtained from EntityAttributes element from metadata. Values of the map shall be lists with values of the attribute.

For example consider this DFN metadata:

http://www.aai.dfn.de/metadata/dfn-aai-idp-metadata.xml

Pay attention to performance, this filterring should not noticeably slow down federation parsing.

Activity

Show:

Roman Krysiński April 20, 2024 at 11:01 AM

QA: +1

Krzysztof April 15, 2024 at 4:19 PM

QA:

Logging improvement needed. Currently (at TRACE level) I see:

2024-04-15T18:11:36,060 [qtp1338435446-152] [Console] [Default Administrator] [1] [127.0.0.1] TRACE unity.server.saml.MetadataToSPConfigConverter: IDP of entity https://checkin.thga.de/idp/shibboleth is excluded by filter, ignoring. 2024-04-15T18:11:36,060 [qtp1338435446-152] [Console] [Default Administrator] [1] [127.0.0.1] TRACE unity.server.saml.MetadataToSPConfigConverter: Condition "attributes['urn:oasis:names:tc:SAML:attribute:assurance-certification'] contains 'https://refeds.org/sirtfi2'" evaluated to true 2024-04-15T18:11:36,060 [qtp1338435446-152] [Console] [Default Administrator] [1] [127.0.0.1] TRACE unity.server.saml.MetadataToSPConfigConverter: IDP of entity https://login.hfmt-hamburg.de/idp/shibboleth is excluded by filter, ignoring.

  1. It is not shown which IdP was included (i.e. to which the middle entry belongs?

  2. It would be to also log the context (at TRACE level)

Done

Details

Assignee

Reporter

Area

Commercial

Fix versions

Priority

Created April 10, 2024 at 8:31 PM
Updated April 20, 2024 at 11:02 AM
Resolved April 20, 2024 at 11:02 AM