-
Notifications
You must be signed in to change notification settings - Fork 439
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(saml): allow setting nameid-format and alternative mapping for transient format #7979
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
Thanks for your contribution! 🎉Please make sure you tick the following checkboxes before marking this Pull Request (PR) as ready for review:
|
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #7979 +/- ##
==========================================
- Coverage 62.46% 62.43% -0.03%
==========================================
Files 1342 1343 +1
Lines 110863 110981 +118
==========================================
+ Hits 69252 69295 +43
- Misses 37730 37803 +73
- Partials 3881 3883 +2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
🎉 This PR is included in version 2.53.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
Which Problems Are Solved
ZITADEL currently always uses
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
in SAML requests, relying on the IdP to respect that flag and always return a peristent nameid in order to be able to map the external user with an existing user (idp link) in ZITADEL.In case the IdP however returns a
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
(transient) nameid, the attribute will differ between each request and it will not be possible to match existing users.How the Problems Are Solved
This PR adds the following two options on SAML IdP:
Additional Changes
To reduce impact on current installations, the
idp_templates6_saml
table is altered with the two added columns by a setup job. New installations will automatically get the table with the two columns directly.All idp unit tests are updated to use
expectEventstore
instead of the deprecatedeventstoreExpect
.Additional Context
Closes #7483
Closes #7743