Authn cancel from a subflow.

[Cantor, Scott]

On 8/5/15, 8:48 PM, "users on behalf of cneberg" <users-bounces at shibboleth.net on behalf of cneberg at gmail.com> wrote:



>I'm working on a plugin which could handle problematically allowing or forbidding access to a specific entityID based on properties of the authentication - such as the authentication type, and/or properties of the user such as what groups they are in.
>I was building this based on modeling it after the attribute release flow, but now that sounds wrong.   Where would I put code which does this and can cancel the flow securely?

I'm not prepared to claim there is any way to do it with an absolute degree of certainty once the login is done. I would have to look at the code and determine exactly which context tree manipulations would do the trick. Even destroying user information might still just result in an empty assertion.

Probably the one absolute that would do it in the SAML case is destroying the outbound message context because that's where the information on encoding the response lives. I'm sure there are any number of small tree changes that would reliably break the code.

It's just not a use case we have to do this. Authorization is the SPs job, and having the IdP do it is viewed as a UI feature, not a security feature.

-- Scott