Add additional SAML IdP config to allow advanced assertion capabilities such as allow any destination, or alternate values

[robotdan]

Add additional SAML IdP config to allow advanced assertion capabilities such as allow any destination, or alternate values

Problem

When migrating SAML v2 IdP configurations there may be a case where it is difficult to request each IdP to update your ACS.

Solution

Add configuration in the SAML v2 IdP to :

1. Validate Destination - default
2. Do not validate Destination - discouraged, but may be useful
3. Allow alternate values for Destination - allow one to many configured values.

Tasks

• [x] Add new config to the SAML v2 IdP configuration to set which destination validation mode you want.
• [x] Allow a zero to many "alternate destination" values when using the "allow alternative values"
• [x] Honor the config during validation of the AuthN response
• [x] Update the SAMLv2 IDP config api object and docs
• [x] Update the migration guide

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

[mooreds]

When this is implemented, we should also update the migration guide: https://fusionauth.io/docs/v1/tech/migration-guide/general

[robotdan]

Internal:

• https://github.com/FusionAuth/fusionauth-app/pull/181