Skip to content

Feature: Add SRAM integration through SBS #1880

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
johanib wants to merge 38 commits into
base: main
Choose a base branch
from
Open

Feature: Add SRAM integration through SBS #1880

johanib wants to merge 38 commits into from

Conversation

@johanib
Copy link
Contributor

@johanib johanib commented Oct 28, 2025
edited
Loading

Continued from #1819

In order to facilitate fine-grained access to SRAM, EB integrates with SRAM through the SBS service.

This process is only enabled if both the feature_enable_sram_interrupt feature flag is enabled and the collabEnabled coin of the SP is true.

If enabled, the SramInterruptFilter will call SBS with the sessionId.
If the sessionId is known in SBS, EB will merge the attributes supplied by SBS into the Auth request.
IF the sessionId is unknown, later in the Consume Assertion process, the browser will be redirected to SBS,
which will redirect back to EB after a successful check. Then the attributes from SBS will be merged after all.

See #1804 for details.

mrvanes and others added 28 commits October 21, 2025 11:01
@mrvanes @johanib
Add SRAM Testfilter
b1b9712 
Add processSRAMInterrupt route

Working SRAM interrupt route

Manipulate attributes in interrupt

Add token parameter

Rename endpoints
@mrvanes @johanib
Add sbs-stub
2f8e550 
Align EB/stub with real SBS authz parameters

Use SBS api namespace
@johanib
Change the ValidateAllowedConnection input filter so that collab_enab…
d4df9a6 
…led-services skip the IdP-SP check. I.e., if coin:collab_enabled is set, skip the check if the correct IdP is connected, and always allow the flow to continue.
@johanib
Implement sbs integration flow
c268af7 
See #1804
@mrvanes @johanib
Several fixes
0d4a41e
@mrvanes @johanib
WIP
df8de3a
@johanib
Adjust SBS flow integration test to updated specs
1b08684 
Prior to this change, the test still assumed the entitlements call was used.
This change adjusts the test to prime the sbs functional test endpoint for multiple calls on the authz endpoint instead.
@mrvanes @johanib
Add SBS message logging
8cdadf9
@mrvanes @johanib
Use collabPersonId for sbs user_id
10d6a2a
@mrvanes @johanib
Add SHO and EPPN to SBS authz call
a2b62f9
@mrvanes @johanib
Add message to sbs authz response
1924a86
@mrvanes @johanib
Fix tests
c127771
@mrvanes @johanib
Reinstate attributes endpoint
e5374fe
@mrvanes @johanib
Rename entitlements to attributes
e911fa8
@mrvanes @johanib
Better SBS interrupt reason logging
5658873
@mrvanes @johanib
Reinstate attributes endpoint test
9ad1746
@mrvanes @johanib
Refactoring attempt
dca9815
@mrvanes @johanib
SRAM enabled false by default
6992b69
@mrvanes @johanib
Fix SRAM RP entityId behind oidcng trusted proxy
73a154a
@mrvanes @johanib
Fix SRAMInterruptFilterTest
be531d6
@mrvanes @johanib
Improve SBS response debugging
0812f83
@mrvanes @johanib
Don't restart test mariadb container
3e51a7f
@johanib
Fixes after rebase
a6f6d90
@johanib
WIP - Handle mock idp/sp serialization
f6bd380
@johanib
wip - fix sram
94a1088
@johanib
Fix deserialization of mock idp/sp
9c61e0a
@johanib
Rework test, di, enum
e1fbb07
@johanib
rework sbs flow
82d755c
johanib
johanib commented Oct 29, 2025
View reviewed changes
@johanib johanib force-pushed the feature/sram-interrupt_rebase_php82 branch from 056d93f to 11ff3d9 Compare October 29, 2025 08:20
johanib
johanib commented Oct 29, 2025
View reviewed changes
@johanib johanib marked this pull request as ready for review October 29, 2025 09:51
MKodde
MKodde requested changes Oct 29, 2025
View reviewed changes
Copy link
Member

@MKodde MKodde left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome to see this PR with green builds again 👍

I have some suggestions and questions on the changes of this PR. I know this is the result of a rebase, and most of these points of feedback should be on the 'parent' PR. But still... here you go :)

johanib
johanib commented Oct 30, 2025
View reviewed changes
MKodde
MKodde approved these changes Nov 3, 2025
View reviewed changes
@johanib
Ensure Stepup is performed before SRAM
c6955e2 
Prior to this change, stepup would be performed after the SRAM interrupt check.
This change ensures steupup is performed first.
The reason is that the SRAM callout could trigger a 2fa check in SBS. It would be weird to perform a 2fa stepup after that 2fa check.
So doing the stepup first would seem better.
This was linked to issues Nov 3, 2025
Integratie EB en SRAM #1320
Open
Connect SBS as external authorization engine to Engineblock #1804
Open
@johanib johanib removed a link to an issue Nov 3, 2025
Integratie EB en SRAM #1320
Open
@johanib johanib changed the title SRAM feature rebased Feature: Add SRAM integration through SBS Nov 3, 2025
@baszoetekouw baszoetekouw added this to the 7.1.0 milestone Nov 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrvanes mrvanes mrvanes left review comments

@MKodde MKodde MKodde approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

7.1.0

Development

Successfully merging this pull request may close these issues.

Connect SBS as external authorization engine to Engineblock

5 participants

@johanib @mrvanes @MKodde @baszoetekouw