Do not set a NameID format in Policy by default #44090
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit changes the behavior of our SAML realm to not set a Format element in the NameIDPolicy of a SAML Authentication request if one has not been explicitly configured by the user with `nameid_format`. We select to not include a format, rather than setting it to `urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified` which would have the same effect, in order to maximize interoperability with IdP implementations. `AllowCreate` is not removed as this has a default value (false) in the specification. Relates: elastic#40353
jkakavas
added
>breaking
:Security/Authentication
|
Pinging @elastic/es-security |
80 tasks
jkakavas
added a commit
to jkakavas/elasticsearch
that referenced
this pull request
Sep 15, 2021
We changed the default for `nameid_format` in 8.0 in elastic#44090 but did not add anything to the breaking changes in the release notes. This change amends that.
masseyke
added a commit
that referenced
this pull request
Sep 15, 2021
lockewritesdocs
pushed a commit
that referenced
this pull request
Oct 19, 2021
* Add note in breaking changes for nameid_format We changed the default for `nameid_format` in 8.0 in #44090 but did not add anything to the breaking changes in the release notes. This change amends that. * remove reference to settings * Fix docs build * Accepting most of James' suggested changes Thanks James! Co-authored-by: James Rodewig <40268737+jrodewig@users.noreply.github.com> * Incorporating changes from Ioannis * Apply suggestions from code review Co-authored-by: Tim Vernum <tim@adjective.org> * Apply suggestions from code review Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com> Co-authored-by: James Rodewig <40268737+jrodewig@users.noreply.github.com> Co-authored-by: Adam Locke <adam.locke@elastic.co> Co-authored-by: Tim Vernum <tim@adjective.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit changes the behavior of our SAML realm to not set a
Format element in the NameIDPolicy of a SAML Authentication
request if one has not been explicitly configured by the user
with
nameid_format. We select to not include a format, ratherthan setting it to
urn:oasis:names:tc:SAML:2.0:nameid-format:unspecifiedwhich wouldhave the same effect, in order to maximize interoperability with
IdP implementations.
AllowCreateis not removed as this has adefault value (false) in the specification.
Relates: #40353