LG-12196 Add support for VTR param to the SAML interface #10178
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jmhooper
force-pushed
the
jmhooper-saml-vtr
branch
from
cbb5e8c
to
1984a76
Compare
jmhooper
force-pushed
the
jmhooper-saml-vtr
branch
2 times, most recently
from
b2f2124
to
a71d4de
Compare
jmhooper
changed the title
|
I did a few touch-ups to this to get it out of a WIP state. It should be ready for review now. |
This commit enables SAML service providers to make requests using vectors of trust. Vectors of trust support has been built into OIDC in previous commits and much of the work to support this feature was done there. This commit usee the changes in 18F/saml_idp#91 to capture the VTR and store it in the service provider request (and eventually `sp_session`). This is done in the `FederateProtocols::Saml` model similar to the approach for OIDC. This commit modifies `SamlRequestValidator` to validate VTRs alongside validations that exist today for `AuthnContextClassref`s. The `Vot::Parser` is used here to validate the format of VoTs. The `SamlRequestValidator` validates that an SP is allowed to make requests with identity proofing if it is requested. Finally the `SamlRequestValidator` will also fail if the vector or trust feature is not available in the environment The logic for biometric comparison was added to `SamlIdpController` to support the `Pb` component-value that can be used there now. Users are prompted to go through proofing with a selfie if it is required. This includes users who have proofed without a selfie.. If the biometric comparison feature is not enabled for the environment and it is requested with the `Pb` component value `SamlIdpController` will render a 406 similar to the `OpenidConnect::AuthorizationController`. changelog: Internal, SAML, VTR support was added to SAML
jmhooper
force-pushed
the
jmhooper-saml-vtr
branch
from
a71d4de
to
bb8d0b9
Compare
solipet
approved these changes
Mar 4, 2024
jmhooper
added a commit
that referenced
this pull request
Mar 5, 2024
… for SAML In #10178 we added the ability for SAML service providers to make a request with a vector of trust in the AuthnContext. When a SAML SP does this the vector of trust that is used for the authentication transaction should be reflected to the SP in the SAML response. The authentication context appears in 2 places in the SAML request: 1. In the authn context for the entire transaction: ```xml <AuthnStatement AuthnInstant="2024-01-01T00:00:00" SessionIndex="_abc-123-def-456"> <AuthnContext> <AuthnContextClassRef>A1.B2.C3</AuthnContextClassRef> </AuthnContext> </AuthnStatement> ``` 2. In the attribute statement. With ACR values these appeared as seperated AAL and IAL nodes. For VTRs they appear in a single VTR node: ```xml <AttributeStatement> <!-- ... --> <Attribute Name="vtr" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="vtr"> <AttributeValue>A1.B2.C3</AttributeValue> </Attribute> </AttributeStatement> ``` Making the VTR appear like this required changes in 2 places: 1. In the SAML controller the correct `authn_context` value was passed to the `#encode_response` method. This is a method from the `18f/saml_idp` gem which is overriden in `SamlIdpController`. 2. The `AttributeAsserter` was modified to recognized a VTR request and add the correct values to the `AttributeStatement` node in the SAML response. changelog: Internal, SAML, VTR support was added to SAML Response
jmhooper
added a commit
that referenced
this pull request
Mar 5, 2024
… for SAML In #10178 we added the ability for SAML service providers to make a request with a vector of trust in the AuthnContext. When a SAML SP does this the vector of trust that is used for the authentication transaction should be reflected to the SP in the SAML response. The authentication context appears in 2 places in the SAML request: 1. In the authn context for the entire transaction: ```xml <AuthnStatement AuthnInstant="2024-01-01T00:00:00" SessionIndex="_abc-123-def-456"> <AuthnContext> <AuthnContextClassRef>A1.B2.C3</AuthnContextClassRef> </AuthnContext> </AuthnStatement> ``` 2. In the attribute statement. With ACR values these appeared as seperated AAL and IAL nodes. For VTRs they appear in a single VTR node: ```xml <AttributeStatement> <!-- ... --> <Attribute Name="vtr" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="vtr"> <AttributeValue>A1.B2.C3</AttributeValue> </Attribute> </AttributeStatement> ``` Making the VTR appear like this required changes in 2 places: 1. In the SAML controller the correct `authn_context` value was passed to the `#encode_response` method. This is a method from the `18f/saml_idp` gem which is overriden in `SamlIdpController`. 2. The `AttributeAsserter` was modified to recognized a VTR request and add the correct values to the `AttributeStatement` node in the SAML response. changelog: Internal, SAML, VTR support was added to SAML Response
jmhooper
added a commit
that referenced
this pull request
Mar 8, 2024
… for SAML In #10178 we added the ability for SAML service providers to make a request with a vector of trust in the AuthnContext. When a SAML SP does this the vector of trust that is used for the authentication transaction should be reflected to the SP in the SAML response. The authentication context appears in 2 places in the SAML request: 1. In the authn context for the entire transaction: ```xml <AuthnStatement AuthnInstant="2024-01-01T00:00:00" SessionIndex="_abc-123-def-456"> <AuthnContext> <AuthnContextClassRef>A1.B2.C3</AuthnContextClassRef> </AuthnContext> </AuthnStatement> ``` 2. In the attribute statement. With ACR values these appeared as seperated AAL and IAL nodes. For VTRs they appear in a single VTR node: ```xml <AttributeStatement> <!-- ... --> <Attribute Name="vtr" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="vtr"> <AttributeValue>A1.B2.C3</AttributeValue> </Attribute> </AttributeStatement> ``` Making the VTR appear like this required changes in 2 places: 1. In the SAML controller the correct `authn_context` value was passed to the `#encode_response` method. This is a method from the `18f/saml_idp` gem which is overriden in `SamlIdpController`. 2. The `AttributeAsserter` was modified to recognized a VTR request and add the correct values to the `AttributeStatement` node in the SAML response. changelog: Internal, SAML, VTR support was added to SAML Response
jmhooper
added a commit
that referenced
this pull request
Mar 8, 2024
… for SAML In #10178 we added the ability for SAML service providers to make a request with a vector of trust in the AuthnContext. When a SAML SP does this the vector of trust that is used for the authentication transaction should be reflected to the SP in the SAML response. The authentication context appears in 2 places in the SAML request: 1. In the authn context for the entire transaction: ```xml <AuthnStatement AuthnInstant="2024-01-01T00:00:00" SessionIndex="_abc-123-def-456"> <AuthnContext> <AuthnContextClassRef>A1.B2.C3</AuthnContextClassRef> </AuthnContext> </AuthnStatement> ``` 2. In the attribute statement. With ACR values these appeared as seperated AAL and IAL nodes. For VTRs they appear in a single VTR node: ```xml <AttributeStatement> <!-- ... --> <Attribute Name="vot" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="vot"> <AttributeValue>A1.B2.C3</AttributeValue> </Attribute> </AttributeStatement> ``` Making the VoT appear like this required changes in 2 places: 1. In the SAML controller the correct `authn_context` value was passed to the `#encode_response` method. This is a method from the `18f/saml_idp` gem which is overriden in `SamlIdpController`. 2. The `AttributeAsserter` was modified to recognized a VTR request and add the correct values to the `AttributeStatement` node in the SAML response. changelog: Internal, SAML, VTR support was added to SAML Response
jmhooper
added a commit
that referenced
this pull request
Mar 8, 2024
… for SAML (#10224) In #10178 we added the ability for SAML service providers to make a request with a vector of trust in the AuthnContext. When a SAML SP does this the vector of trust that is used for the authentication transaction should be reflected to the SP in the SAML response. The authentication context appears in 2 places in the SAML request: 1. In the authn context for the entire transaction: ```xml <AuthnStatement AuthnInstant="2024-01-01T00:00:00" SessionIndex="_abc-123-def-456"> <AuthnContext> <AuthnContextClassRef>A1.B2.C3</AuthnContextClassRef> </AuthnContext> </AuthnStatement> ``` 2. In the attribute statement. With ACR values these appeared as seperated AAL and IAL nodes. For VTRs they appear in a single VTR node: ```xml <AttributeStatement> <!-- ... --> <Attribute Name="vot" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="vot"> <AttributeValue>A1.B2.C3</AttributeValue> </Attribute> </AttributeStatement> ``` Making the VoT appear like this required changes in 2 places: 1. In the SAML controller the correct `authn_context` value was passed to the `#encode_response` method. This is a method from the `18f/saml_idp` gem which is overriden in `SamlIdpController`. 2. The `AttributeAsserter` was modified to recognized a VTR request and add the correct values to the `AttributeStatement` node in the SAML response. changelog: Internal, SAML, VTR support was added to SAML Response
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit enables SAML service providers to make requests using vectors of trust. Vectors of trust support has been built into OIDC in previous commits and much of the work to support this feature was done there.
This commit use the changes in 18F/saml_idp#91 to capture the VTR and store it in the service provider request (and eventually
sp_session). This is done in theFederateProtocols::Samlmodel similar to the approach for OIDC.This commit modifies
SamlRequestValidatorto validate VTRs alongside validations that exist today forAuthnContextClassrefs. TheVot::Parseris used here to validate the format of VoTs. TheSamlRequestValidatorvalidates that an SP is allowed to make requests with identity proofing if it is requested. Finally theSamlRequestValidatorwill also fail if the vector or trust feature is not available in the environmentThe logic for biometric comparison was added to
SamlIdpControllerto support thePbcomponent-value that can be used there now. Users are prompted to go through proofing with a selfie if it is required. This includes users who have proofed without a selfie.. If the biometric comparison feature is not enabled for the environment and it is requested with thePbcomponent valueSamlIdpControllerwill render a 406 similar to theOpenidConnect::AuthorizationController.