-
Notifications
You must be signed in to change notification settings - Fork 400
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for multiple Attribute Consuming Services #307
base: master
Are you sure you want to change the base?
Add support for multiple Attribute Consuming Services #307
Conversation
|
ab7e4d7
to
3c79c8c
Compare
5e9cf4a
to
32eda0e
Compare
@pitbulk now that all the required refactoring is merged into master, I could rebase this PR so that the above commits describe just the new feature. As stated above, to understand what's new from a user point of view, start by looking at the updated README file. |
32eda0e
to
13102ac
Compare
Now that we added factories, is easy to support this |
13102ac
to
f272092
Compare
Hi @pitbulk , I've rebased this PR so that it applies cleanly on current master. Yes, now that all my previous contributions have been merged, this feature may be added on top of java-saml. However, I'm not sure whether it would be so straightforward. This change indeed features:
I know your concerns about keeping java-saml simple. With this regards, I can say that:
The latter documentation change may also scale well if we later introduce the support for multiple Assertion Consumer Services as well. |
f272092
to
11a883d
Compare
Attribute Consuming Services can now be configured in settings. They will then be parsed and added to the generated metadata. On SSO initiation a selector mechanism can be used to select the desired ACS, producing the proper AttributeConsumingServiceIndex attribute in the AuthnRequest.
ACS is usually used to refer to the Assertion Consumer Service concept in SAML. The ACS may also behave as an Attribute Consuming Services, but in general the two concepts are separate. This fixes the use of the ACS acronym for the Assertion Consumer Service only.
11a883d
to
b12811f
Compare
Now Saml2Settings.checkSPSettings() also checks that, if any Attribute Consuming Service are declared, their configuration is consistent.
When a non-indexed Attribute Consuming Service is defined in configuration along with other indexed Services, a warning is printed to the log to inform that the non-indexed one will be ignored.
b12811f
to
2eb29ba
Compare
@eriktalvi can you please help look at this? |
Attribute Consuming Services can now be configured in settings. They will then be parsed and added to the generated metadata. On SSO initiation a selector mechanism can be used to select the desired Attribute Consuming Service, producing the proper
AttributeConsumingServiceIndex
attribute in theAuthnRequest
.This is what I had in mind when I wrote #264 (comment). To quickly understand the rationale, I suggest to start to look at the changes made to the README file.
All changes are backward compatible
, although I've deprecated some method overloadings because I think they are now obsolete and pollute the code (see, for instance, the so many overloadings ofAuth.login()
method). To better shape the login input parameters, I introduced aAuthnRequest
superclass, namedAuthnRequestParams
that just carry information on how theAuthnRequest
should be produced, without any reference to the settings, to the binding protocol or to other context-related information. Then,AuthnRequest
extendsAuthnRequestParams
to easily use those input parameters and maintain backward compatibility. If in future any more input params are to be introduced, they can be added toAuthnRequestParams
without the need to even further overloadAuth.login()
(I was thinking about the ability to select an Assertion Consumer Services among a set of available services, somewhat similar to what I made now with Attribute Consuming Services)(^^^ these changes have meanwhile already been merged within the context of other PRs)
I tested my changes by adding some more tests and by using it in an application I'm writing. As I said in #264, these changes are particularly useful to properly support the Italian SPID authentication system.
I tried to adhere as much as possible to the existing styles of code formatting and javadoc, but it was not easy because I see there are multiple styles in place.