Skip to content

Add Service Provider entity ID based filtering #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tvdijen merged 6 commits into from
Aug 26, 2025
Merged

Add Service Provider entity ID based filtering #30

tvdijen merged 6 commits into from
Aug 26, 2025

Conversation

@sitya
Copy link

@sitya sitya commented Aug 24, 2025

Allow restricting authorization rules to specific SPs by adding spEntityIDs arrays to attribute configurations. Rules with spEntityIDs only apply when the current SP matches the allowed list, enabling fine-grained access control per service provider.

Valid use-case: when our institution authenticates users who are allowed to access only a very few SPs, but they must be handled by the main IdP (e.g. users with library-walk-in affiliation). These improvements are relevant, if only you use Authorize module for your authproc.idp. In this case the the users can access only for the listed SPs, not else (e.g. they cannot access any resource from the national federation).

@sitya
Add Service Provider entity ID based filtering
58c7411 
Allow restricting authorization rules to specific SPs by adding spEntityIDs arrays to attribute configurations. Rules with spEntityIDs only apply when the current SP matches the allowed list, enabling fine-grained access control per service provider.
tvdijen
tvdijen reviewed Aug 24, 2025
View reviewed changes
@tvdijen tvdijen requested a review from monkeyiq August 25, 2025 06:51
tvdijen
tvdijen approved these changes Aug 25, 2025
View reviewed changes
Copy link
Member

@tvdijen tvdijen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me now! @monkeyiq would you mind going over this too?

@codecov
Copy link

codecov bot commented Aug 25, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 90.00000% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.03%. Comparing base (d411c40) to head (042f993).
⚠️ Report is 7 commits behind head on master.

Additional details and impacted files 
@@             Coverage Diff              @@
##             master      #30      +/-   ##
============================================
+ Coverage     63.56%   69.03%   +5.46%     
- Complexity       50       56       +6     
============================================
  Files             2        2              
  Lines           129      155      +26     
============================================
+ Hits             82      107      +25     
- Misses           47       48       +1
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@monkeyiq
Copy link
Contributor

monkeyiq commented Aug 25, 2025

I played around with testSpRestriction setting deny to true and when the dataset expectations are also inverted it seems to do what one would expect. I am not sure why one would want to deny on attr+sp picking but it is a possibility.

@monkeyiq
Copy link
Contributor

monkeyiq commented Aug 25, 2025

I will give this another comb over in the morning. On first eyeballs it looks good.

@tvdijen
Copy link
Member

tvdijen commented Aug 25, 2025

Just a thought, not for this PR, but for later discussion.. I think it would make sense to be able to make authproc-filters apply to specific entities, in addition to the already existing 'precondition'-feature..

@tvdijen
Copy link
Member

tvdijen commented Aug 25, 2025

@sitya I took the liberty to 1) throw \SimpleSAML\Error\Exception instead of \Exception because we are trying to get rid of any generic exceptions in the SimpleSAMLphp-code and 2) I used an assertion that tests the $spEntityIDs variable for valid entityIDs. I hope you agree that both are good improvements.

Once @monkeyiq had his time to go over this once more I will merge and tag v1.7

@monkeyiq
Copy link
Contributor

monkeyiq commented Aug 25, 2025

Using Assert for configuration seems like a good idea. It should probably be a hard failure mode to avoid any unintended soft fail over if the configuration is not what is expected. If folks are setting up specific auth procs they are probably happy to RTFM and make sure they have an array where one is expected.

@monkeyiq
Copy link
Contributor

monkeyiq commented Aug 25, 2025

@tvdijen feel free to merge and tag :) sorry about the delay.

@tvdijen tvdijen merged commit f436ecc into simplesamlphp:master Aug 26, 2025
23 checks passed
@tvdijen
Copy link
Member

tvdijen commented Aug 26, 2025

Tagged v1.7.0 - it will be included in the full build of SimpleSAMLphp 2.5.0
In the mean time you can manually update this module by running bin/composer.phar update simplesamlphp/simplesamlphp-module-authorize

@monkeyiq monkeyiq mentioned this pull request Sep 24, 2025
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 16, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@monkeyiq monkeyiq monkeyiq approved these changes

@tvdijen tvdijen tvdijen approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sitya @monkeyiq @tvdijen