Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IDP-initiated sso REST handler #51830

Merged
merged 13 commits into from
Feb 18, 2020
Merged

IDP-initiated sso REST handler #51830

merged 13 commits into from
Feb 18, 2020

Conversation

jkakavas
Copy link
Member

@jkakavas jkakavas commented Feb 3, 2020

Necessary rest handler and transport action for consuming an SP
EntityID and producing a SAML response for the authenticating user.
TransportSamlInitiateSingleSignOnAction needs to be adjusted to
take advantage of the secondary authentication handling logic once
this is available.

@jkakavas
Add IDP Configuration settings and related tests
57d2d76
@jkakavas
license and missing conf
fcb2e8c
@jkakavas
Add scope to settings
db7cb67
@jkakavas
address feedback
8ed79cb
@jkakavas
add missing file
a4136c7
@jkakavas
address feedback
5252c8b
@jkakavas
Add handler for IDP initiated SSO
3931770 
Necessary rest handler and transport action for consuming an SP
EntityID and producing a SAML response for the authenticating user.
TransportSamlInitiateSingleSignOnAction needs to be adjusted to
take advantage of the secondary authentication handling logic once
this is available.
TODO: add tests for TransportSamlInitiateSingleSignOnAction
@jkakavas
Merge branch 'feature-internal-idp' into idp-init-handlers
745c7d5
@jkakavas
checkstyle
de22cd6
@jkakavas jkakavas added the :Security/Security Security issues without another label label Feb 3, 2020
@jkakavas jkakavas requested a review from tvernum February 3, 2020 21:29
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (:Security/Security)

@jkakavas
Copy link
Member Author

jkakavas commented Feb 4, 2020

org.elasticsearch.xpack.ml.integration.MlDistributedFailureIT.testLoseDedicatedMasterNode failed

@elasticmachine run elasticsearch-ci/2 please

tvernum
tvernum reviewed Feb 7, 2020
View reviewed changes
...ugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/IdentityProviderPlugin.java Outdated Show resolved Hide resolved
...rovider/src/main/java/org/elasticsearch/xpack/idp/action/SamlInitiateSingleSignOnAction.java Outdated Show resolved Hide resolved
...ovider/src/main/java/org/elasticsearch/xpack/idp/action/SamlInitiateSingleSignOnRequest.java Outdated Show resolved Hide resolved
...rc/main/java/org/elasticsearch/xpack/idp/action/TransportSamlInitiateSingleSignOnAction.java Outdated Show resolved Hide resolved
...rc/main/java/org/elasticsearch/xpack/idp/rest/action/RestSamlInitiateSingleSignOnAction.java Outdated Show resolved Hide resolved
...y-provider/src/main/java/org/elasticsearch/xpack/idp/saml/sp/CloudKibanaServiceProvider.java Outdated Show resolved Hide resolved
...ugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/saml/support/SamlUtils.java Outdated
serializer.transform(new DOMSource(element), new StreamResult(writer));
}

public static String samlObjectToString(SAMLObject object) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
public static String samlObjectToString(SAMLObject object) {
public static String getXmlContent(SAMLObject object) {

I think we should be more explict that this is used to get the object in XML, not just for printing.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is marked resolved, but it doesn't seem to have changed.

...ugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/saml/support/SamlUtils.java Outdated

public static String samlObjectToString(SAMLObject object) {
try {
return toString(XMLObjectSupport.marshall(object), true);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think for the case where this is used (Rest response) we don't want to pretty print by default (maybe if the pretty parameter is set, but not otherwise).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this has been resolved

...ugin/identity-provider/src/main/java/org/elasticsearch/xpack/idp/saml/support/SamlUtils.java Show resolved Hide resolved
...rc/main/java/org/elasticsearch/xpack/idp/action/TransportSamlInitiateSingleSignOnAction.java Show resolved Hide resolved
@jkakavas
Copy link
Member Author

@tvernum I addressed your comments and added a couple of tests for the Transport action, ready to take another look

@jkakavas jkakavas mentioned this pull request Feb 13, 2020
Merged
tvernum
tvernum reviewed Feb 17, 2020
View reviewed changes
Copy link
Contributor

@tvernum tvernum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple of my previous comments were marked as resolved, but I don't see any change that related.

tvernum
tvernum reviewed Feb 17, 2020
View reviewed changes
...rc/main/java/org/elasticsearch/xpack/idp/rest/action/RestSamlInitiateSingleSignOnAction.java Outdated

@Override
public String getName() {
return "idp_init_sso_action";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's minor, but I think this name should reference SAML since it's a SAML specific endpoint.

@jkakavas
Copy link
Member Author

A couple of my previous comments were marked as resolved, but I don't see any change that related.

Apologies, somehow lost track of these. I resolve comments as I fix them in code so that I don't miss any but apparently this didn't help much either way. I left then unresolved now so that you can resolve them while verifying, that should probably be a better workflow.

tvernum
tvernum approved these changes Feb 17, 2020
View reviewed changes
Copy link
Contributor

@tvernum tvernum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jkakavas jkakavas merged commit 4b4393d into elastic:feature-internal-idp Feb 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tvernum tvernum tvernum approved these changes

Assignees
No one assigned
Labels
:Security/Security Security issues without another label
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jkakavas @elasticmachine @tvernum