-
Notifications
You must be signed in to change notification settings - Fork 24.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[IdP plugin] Surface SP-init flow errors in the same way that IdP-ini…
…t flow does (#101855) CP-4958 This PR updates the IdP plugin's /init handler to surface SP-init errors (e.g. with authorisation in) the same way as IdP-init errors, through an Exception that results in a non-200 HTTP status code. At the same , it continues to send the SAML response object with a failed SAML message that that flow is currently returning. In this way, both IdP and SP init flows have unified error handling, while leaving us the flexibility of using a SAML (error) message-based flow if we wish to in the future. It does this by: * Introducing a new `SamlInitiateSingleSignOnException` class that can hold a `SamlInitiateSingleSignOnResponse` with the failed SAML message * This exception has an override of `metadataToXContent` that serialises its SamlInitiateSingleSignOnResponse if it is present. * Build `SamlInitiateSingleSignOnException` for handling responses in `TransportSamlInitiateSingleSignOnAction` * Updating `TransportSamlInitiateSingleSignOnAction` to consistently use the `listener.onFailure(ex)` mechanism for handling failures Example of the new error response in the SP-init flow from the IT: ```json { "error": { "root_cause": [ { "type": "saml_initiate_single_sign_on_exception", "reason": "User [es_user] is not permitted to access service [ec:abcdef:123456]", "saml_initiate_single_sign_on_response": { "post_url": "https://AVoMOJLJfbru.elastic-cloud.com/saml/acs", "saml_response": "<?xml version=\"1.0\" encoding=\"UTF-8\"?><saml2p:Response xmlns:saml2p=\"urn:oasis:names:tc:SAML:2.0:protocol\" Destination=\"https://AVoMOJLJfbru.elastic-cloud.com/saml/acs\" ID=\"_d73186163618586bd9a671c7ad3d9e399f18b775\" InResponseTo=\"_d7dfe67845acbd717c8f07e7018d99b576d57967\" IssueInstant=\"2023-11-07T08:03:52.193Z\" Version=\"2.0\"><saml2:Issuer xmlns:saml2=\"urn:oasis:names:tc:SAML:2.0:assertion\">urn:elastic:cloud:idp</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Requester\"/></saml2p:Status></saml2p:Response>", "saml_status": "urn:oasis:names:tc:SAML:2.0:status:Requester", "error": "User [es_user] is not permitted to access service [ec:abcdef:123456]", "service_provider": { "entity_id": "ec:abcdef:123456" } } } ], "type": "saml_initiate_single_sign_on_exception", "reason": "User [es_user] is not permitted to access service [ec:abcdef:123456]", "saml_initiate_single_sign_on_response": { "post_url": "https://AVoMOJLJfbru.elastic-cloud.com/saml/acs", "saml_response": "<?xml version=\"1.0\" encoding=\"UTF-8\"?><saml2p:Response xmlns:saml2p=\"urn:oasis:names:tc:SAML:2.0:protocol\" Destination=\"https://AVoMOJLJfbru.elastic-cloud.com/saml/acs\" ID=\"_d73186163618586bd9a671c7ad3d9e399f18b775\" InResponseTo=\"_d7dfe67845acbd717c8f07e7018d99b576d57967\" IssueInstant=\"2023-11-07T08:03:52.193Z\" Version=\"2.0\"><saml2:Issuer xmlns:saml2=\"urn:oasis:names:tc:SAML:2.0:assertion\">urn:elastic:cloud:idp</saml2:Issuer><saml2p:Status><saml2p:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Requester\"/></saml2p:Status></saml2p:Response>", "saml_status": "urn:oasis:names:tc:SAML:2.0:status:Requester", "error": "User [es_user] is not permitted to access service [ec:abcdef:123456]", "service_provider": { "entity_id": "ec:abcdef:123456" } } }, "status": 403 } ``` Signed-off-by: lloydmeta <lloydmeta@gmail.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
- Loading branch information
1 parent
7117ac5
commit 7ef539c
Showing
6 changed files
with
166 additions
and
67 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
46 changes: 46 additions & 0 deletions
46
...main/java/org/elasticsearch/xpack/idp/saml/support/SamlInitiateSingleSignOnException.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
package org.elasticsearch.xpack.idp.saml.support; | ||
|
||
import org.elasticsearch.ElasticsearchSecurityException; | ||
import org.elasticsearch.rest.RestStatus; | ||
import org.elasticsearch.xcontent.XContentBuilder; | ||
import org.elasticsearch.xpack.idp.action.SamlInitiateSingleSignOnResponse; | ||
|
||
import java.io.IOException; | ||
|
||
public class SamlInitiateSingleSignOnException extends ElasticsearchSecurityException { | ||
|
||
private SamlInitiateSingleSignOnResponse samlInitiateSingleSignOnResponse; | ||
|
||
public SamlInitiateSingleSignOnException( | ||
String msg, | ||
RestStatus status, | ||
SamlInitiateSingleSignOnResponse samlInitiateSingleSignOnResponse | ||
) { | ||
super(msg, status); | ||
this.samlInitiateSingleSignOnResponse = samlInitiateSingleSignOnResponse; | ||
} | ||
|
||
public SamlInitiateSingleSignOnException(String msg, RestStatus status) { | ||
super(msg, status); | ||
} | ||
|
||
@Override | ||
protected void metadataToXContent(XContentBuilder builder, Params params) throws IOException { | ||
if (this.samlInitiateSingleSignOnResponse != null) { | ||
builder.startObject("saml_initiate_single_sign_on_response"); | ||
this.samlInitiateSingleSignOnResponse.toXContent(builder); | ||
builder.endObject(); | ||
} | ||
} | ||
|
||
public SamlInitiateSingleSignOnResponse getSamlInitiateSingleSignOnResponse() { | ||
return samlInitiateSingleSignOnResponse; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters