CZ-NIC / django-eidas-specific-node

GNU General Public License v3.0
2 stars 2 forks source link

Handling of non-LoA AuthnContextClassRef in SAMLResponse #53

Closed jtalir closed 5 years ago

jtalir commented 5 years ago

Application fails when IdP responds with something other than LoA. In any case - it should not fail, but continue with LightResponse containing message about failure. But I also suggest to to have an option to set relaxed mode where if response status is Success (it means that LoA is fullfilled) it would replace LoA from Response with LoA from Request (if it is known).

jiri-janousek commented 5 years ago

Application fails when IdP responds with something other than LoA. In any case - it should not fail, but continue with LightResponse containing message about failure.

That's possible.

But I also suggest to to have an option to set relaxed mode where if response status is Success (it means that LoA is fullfilled) it would replace LoA from Response with LoA from Request (if it is known).

At the time we get the IdP response, the corresponding light request is already removed.

jiri-janousek commented 5 years ago

@jtalir suggested adding an optional mapping of non-LoA AuthnContextClassRef to LoA.

jiri-janousek commented 5 years ago

@jtalir suggested adding an optional mapping of non-LoA AuthnContextClassRef to LoA.

Moved to #63.