Show idp logo on PEP error message

OpenConext / OpenConext-engineblock

OpenConext SAML 2.0 IdP/SP Gateway

14 stars 22 forks source link

Show idp logo on PEP error message #1419

Closed phavekes closed 6 days ago

phavekes commented 6 days ago

This issue is imported from pivotal - Originaly created at May 26, 2017 by Thijs Kinkhorst

As an IdP I can configure authorization policies for my users, and configure a message that they get when rejected at the Policy Enforcement Point. For better recognition, I would like to see my IdP\'s logo near that message.

This should only be done for idp-specific rules.

We know the logo of an IdP from the wayf. Investigate whether this is relatively straightforward to add (do we know if the triggered rule was idp specific?). if so, add the logo. Otherwise, see how invasive it would be.

phavekes commented 6 days ago

It wouldn\'t be very difficult to show the logo when the PEP grants no access to the service. To my knowledge, the response from the [PDP server](https://github.com/OpenConext/OpenConext-pdp/tree/master/pdp-server) does not provide specific information whether or not an idp-specific rule was applied or transgressed.

@okkeh, do you know if the server is capable of determining a rule was idp specific or not and is able to add this information in the response? (Michiel Kodde - Jun 28, 2017)

phavekes commented 6 days ago

On the server this can be implemented but not without some changes. All the PDP policies are evaluated by an external library and the outcome is send to EB along with some context information like the error message. This required already some tinkering with the external library. Estimated effort to return to EB if the policy was IdP only is ~4 hours including tests, release and deployment. (Okke Harsta - Jun 28, 2017)

phavekes commented 6 days ago

@thijskh In my opinion there are two possible solutions:

One is the solution @okkeh describes. Which will need some modifications on the PDP server from his part.
The other one is showing the logo when the PDP server returns a specific error message. This is not as accurate as the first solution and messages that did not actually originated at the idp might be decorated with the idp logo. This condition would trigger displaying the IdP logo

What do you think about these options? (Michiel Kodde - Jul 3, 2017)

phavekes commented 6 days ago

I would advise to go for the first option. (Okke Harsta - Jul 4, 2017)

phavekes commented 6 days ago

The IdPOnly flag is wrapped in a AttributeAssignment (like the deny messages). See attached file. (Okke Harsta - Jul 4, 2017)

phavekes commented 6 days ago

New PDP version on test2 installed that returns the extra IdPOnly flag. (Okke Harsta - Jul 5, 2017)

phavekes commented 6 days ago

Thanks, @okkeh! (Michiel Kodde - Jul 5, 2017)

phavekes commented 6 days ago

Excellent. So we have a go with that solution then. (Thijs Kinkhorst - Jul 5, 2017)

phavekes commented 6 days ago

This is how the logo could be shown. Position can be changed. The size of the logo can be set in the SR. (Michiel Kodde - Jul 5, 2017)