Add "extension" attribute validation to IdP SPs #129396
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This extends the change from #128176 (#128796) to validate the "custom attributes" on a per Service Provider basis.
Each Service Provider (whether registered or wildcard based) has a field "attributes.extensions" which is a list of attribute names that may be provided by the caller of "/_idp/saml/init".
Service Providers that have not be configured with extension attributes will reject any custom attributes in SAML init.
This necessitates a new field in the service provider index (but only if the new
extensions
attribute is set).The template has been updated, but there is no data migration because the
saml-service-provider
index does not exist in any of the environments into which we wish to deploy this change.Backport of: #128805, #129233