Skip to content

Add "extension" attribute validation to IdP SPs #129396

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conversation

tvernum
Copy link
Contributor

@tvernum tvernum commented Jun 13, 2025

This extends the change from #128176 (#128796) to validate the "custom attributes" on a per Service Provider basis.

Each Service Provider (whether registered or wildcard based) has a field "attributes.extensions" which is a list of attribute names that may be provided by the caller of "/_idp/saml/init".

Service Providers that have not be configured with extension attributes will reject any custom attributes in SAML init.

This necessitates a new field in the service provider index (but only if the new extensions attribute is set).
The template has been updated, but there is no data migration because the saml-service-provider index does not exist in any of the environments into which we wish to deploy this change.

Backport of: #128805, #129233

This extends the change from elastic#128176 to validate the "custom
attributes" on a per Service Provider basis.

Each Service Provider (whether registered or wildcard based) has a
field "attributes.extensions" which is a list of attribute names that
may be provided by the caller of "/_idp/saml/init".

Service Providers that have not be configured with extension
attributes will reject any custom attributes in SAML init.

This necessitates a new field in the service provider index (but only
if the new `extensions` attribute is set).
The template has been updated, but there is no data migration because
the `saml-service-provider` index does not exist in any of the
environments into which we wish to deploy this change.

Backport of: elastic#128805, elastic#129233
@tvernum tvernum added backport :Security/IdentityProvider Identity Provider (SSO) project in X-Pack v8.19.0 labels Jun 13, 2025
@tvernum tvernum added auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) and removed auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) labels Jun 16, 2025
@elasticsearchmachine elasticsearchmachine merged commit 8efeec2 into elastic:8.19 Jun 16, 2025
16 checks passed
@tvernum tvernum deleted the backport/8.19/128805-Add-extension-attribute-validation branch June 16, 2025 12:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) backport :Security/IdentityProvider Identity Provider (SSO) project in X-Pack v8.19.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants