12:46 p.m.
Hi,
Comments inline below.
Ah, yes. Thanks. I forgot that it would be used in the SAML metadata
generation.
Thanks for the
confirmation Ivan.
I think this example configuration in GitHub for the SAML frontend
https://github.com/IdentityPython/SATOSA/blob/master/example/plugins/fronte…
(leaving this as a permanent URL to that file)
https://github.com/IdentityPython/SATOSA/blob/0ddf568/example/plugins/front…
is helping to mislead people. It includes the
configuration
name_id_format: ['urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
'urn:oasis:names:tc:SAML:2.0:nameid-format:transient']
I don't see looking at the code that the configuration option
'name_id_format' is ever referenced by
.../src/satosa/frontends/saml2.py.
It is probably only passed to pysaml2 and used in the configuration of
the underlying "IdP object", but again given the way SATOSA functions
that configuration is never exercised.
I propose we modify that example configuration and remove that line
entirely.
The `name_id_format` configuration option there, says that this entity
(the saml frontend that will be instantiated) will advertise on its
metadata the <NameIdFormat> elements with the values that have been
set. Your concern seems to be how this is /enforced/
internally - ie,
currently if the line above is set, but the backend sets
`internal_response.subject_type` to a different value, that value will
be used directly.
- How do we fix this and which component is responsible to handle this?
This is not fixed by hiding the configuration option. Even if we
remove it from the example file, it will still be available for
configuration.
And if we go further and remove it from the configuration, we will be
removing our ability to control that part of the metadata of this
entity.
What we should work towards doing is
- get the format that the backend sent,
- get the format the entity advirtises on its metadata,
- compare than and if they match then proceed
what happens though, if they do not? Then we need a way to convert
from one format to another and along with the format we must adjust
the value. I do not think we can express that with a simple
configuration option. Thus, the way to handle this should be through a
custom module - a micro-service. The micro-service should know which
formats we are targeting and try to make that conversion and transform
(or select) the value appropriately. This is what we discussed in the
previous emails ;-)
So, I don't think we should remove the option from the example, but I
agree that we should better document what it does.
Then also document the behaviour above and how one can control what
the resulting format will be through a micro-service.
We could also say that if in the end the format is not valid (it's not
one of the value defined by name_id_format), then stop the flow and
error out. Would that be useful?
Yes, I think documentation is what is needed.
Thanks,
Scott