Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change default NameID Policy for SAML Authentication requests #40353

Closed
jkakavas opened this issue Mar 22, 2019 · 2 comments
Closed

Change default NameID Policy for SAML Authentication requests #40353

jkakavas opened this issue Mar 22, 2019 · 2 comments
Assignees
@jkakavas
Labels
>non-issue :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) v8.0.0-alpha1

Comments

@jkakavas
Copy link
Member

We set NameIDPolicy to urn:oasis:names:tc:SAML:2.0:nameid-format:transient by default in our SAML Authentication Requests. Since NameIDPolicy is optional, we probably should not be making this explicit choice on behalf of the users and default to not setting it all. What's more we do tend to use nameid-persistent to map to attributes.principal in our config examples and this is a configuration that should not work by default.

The documentation around NameIDs should be enhances so that the relationship between the requested NameID (nameid_format) and the possibly parsed value in a configuration like attributes.principal: nameid-persistent will be clarified.
@jkakavas jkakavas added >non-issue :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) v8.0.0 v7.2.0 labels Mar 22, 2019
@jkakavas jkakavas self-assigned this Mar 22, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

@jakelandis jakelandis added v7.3.0 and removed v7.2.0 labels Jun 17, 2019
@jpountz jpountz added v7.4.0 and removed v7.3.0 labels Jul 3, 2019
@jkakavas jkakavas removed the v7.4.0 label Jul 8, 2019
jkakavas added a commit to jkakavas/elasticsearch that referenced this issue Jul 8, 2019
@jkakavas
Do not set a NameID format in Policy by default
49feb28 
This commit changes the behavior of our SAML realm to not set a
Format element in the NameIDPolicy of a SAML Authentication
request if one has not been explicitly configured by the user
with `nameid_format`. We select to not include a format, rather
than setting it to
`urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified` which would
have the same effect, in order to maximize interoperability with
IdP implementations. `AllowCreate` is not removed as this has a
default value (false) in the specification.

Relates: elastic#40353
@jkakavas jkakavas mentioned this issue Jul 8, 2019
Merged
pull bot pushed a commit to sadlil/elasticsearch that referenced this issue Jul 9, 2019
@jkakavas
Do not set a NameID format in Policy by default (elastic#44090)
6ec2647 
This commit changes the behavior of our SAML realm to not set a
Format element in the NameIDPolicy of a SAML Authentication
request if one has not been explicitly configured by the user
with `nameid_format`. We select to not include a format, rather
than setting it to
`urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified` which would
have the same effect, in order to maximize interoperability with
IdP implementations. `AllowCreate` is not removed as this has a
default value (false) in the specification.

Relates: elastic#40353
@jkakavas
Copy link
Member Author

jkakavas commented Aug 1, 2019

Resolved by #44090

@jkakavas jkakavas closed this as completed Aug 1, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jkakavas jkakavas

Labels
>non-issue :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) v8.0.0-alpha1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jpountz @jakelandis @jkakavas @elasticmachine