Decide on RequesterID scoping feature #1214
Labels
proposed-removal
Discussion whether given functionality should be removed
Comments
thijskh
added
the
proposed-removal
|
I never noticed this issue before, but we heavily rely on this. Our peers use it to suppress the WAYF whenever they can. |
|
just to check, you are seeing the log message? |
|
Yes, I do |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A feature exists in EB where it can sub-scope the available IdPs for an SP if this SP passes it as a RequesterID in the authentication request and we know this remote SP: the allowed IdPs of this remote SP are then used to filter the allowed IdPs for the authenticating SP. The feature actually loops over all supplied RequesterIDs not just the last one.
This is a subset of the later introduced trusted proxy feature. A trusted proxy can do this plus more powers (ARP, PDP etc on behalf of the other SP.
The question is whether this is a useful feature to keep (as is), or if trusted proxy has superseeded it and it's obsolete. The code is not very problematic (unchanged for 10 years, has tests) but on the other hand is ran on every authentication so if it's not needed it should probably be cleaned up.
You are using this feature if you add SPs to Manage that are not directly connected but are behind other (connected) SP's. Or more concretely, if you run EB >= 6.9.1 and you log info level messages and you have the following messages in your log:
SP passes RequesterID '$requesterId', using it to sub-scope the available IdPsThe text was updated successfully, but these errors were encountered: