cloudfoundry · strehle · Jul 12, 2024
diff --git a/jobs/uaa/spec b/jobs/uaa/spec
@@ -451,6 +451,9 @@ properties:
   login.checkOriginEnabled:
     description: "This flag enables the origin check in SCIM. Otherwise, the assignments of users to an origin are not validated."
     default: false
+  login.allowOriginLoop:
+    description: "This flag enables the loop over all origin of a certain type during login, e.g. all SAML or OIDC providers in case of such a logon. Otherwise, only index access is allowed."
+    default: true
 
   # Email
   login.notifications.url:

diff --git a/jobs/uaa/templates/config/uaa.yml.erb b/jobs/uaa/templates/config/uaa.yml.erb
@@ -672,6 +672,7 @@
       'accountChooserEnabled' => p('login.accountChooserEnabled'),
       'aliasEntitiesEnabled' => p('login.aliasEntitiesEnabled'),
       'checkOriginEnabled' => p('login.checkOriginEnabled'),
+      'allowOriginLoop' => p('login.allowOriginLoop'),
       'entityBaseURL' => login_entityBaseUrl,
       'entityID' => login_entityId,
       'prompt' => {

diff --git a/spec/compare/all-properties-set-uaa.yml b/spec/compare/all-properties-set-uaa.yml
@@ -348,6 +348,7 @@ login:
   accountChooserEnabled: true
   aliasEntitiesEnabled: true
   checkOriginEnabled: true
+  allowOriginLoop: false
   entityBaseURL: http://all-properties-set:8888/uaa
   entityID: all-properties-set:8888/uaa
   prompt:

diff --git a/spec/compare/bosh-lite-uaa.yml b/spec/compare/bosh-lite-uaa.yml
@@ -266,6 +266,7 @@ login:
   accountChooserEnabled: false
   aliasEntitiesEnabled: false
   checkOriginEnabled: false
+  allowOriginLoop: true
   entityBaseURL: https://login.bosh-lite.com
   entityID: login.bosh-lite.com
   prompt:

diff --git a/spec/compare/deprecated-properties-still-work-uaa.yml b/spec/compare/deprecated-properties-still-work-uaa.yml
@@ -220,6 +220,7 @@ login:
   accountChooserEnabled: false
   aliasEntitiesEnabled: false
   checkOriginEnabled: false
+  allowOriginLoop: true
   entityBaseURL: http://test.uaa.url
   entityID: test.uaa.url
   prompt:

diff --git a/spec/compare/test-defaults-uaa.yml b/spec/compare/test-defaults-uaa.yml
@@ -171,6 +171,7 @@ login:
   accountChooserEnabled: false
   aliasEntitiesEnabled: false
   checkOriginEnabled: false
+  allowOriginLoop: true
   entityBaseURL: http://test.uaa.url
   entityID: test.uaa.url
   prompt:

diff --git a/spec/input/all-properties-set.yml b/spec/input/all-properties-set.yml
@@ -40,6 +40,7 @@ properties:
     accountChooserEnabled: true
     aliasEntitiesEnabled: true
     checkOriginEnabled: true
+    allowOriginLoop: false
     links:
       global:
         passwd: "https://{zone.subdomain}.myaccountmanager.domain.com/z/{zone.id}/forgot_password"