clarin-eric / discovery-service-frontend

SPF Central Discovery Service Backend
https://www.clarin.eu/content/clarin-discovery-service
GNU General Public License v3.0
0 stars 2 forks source link

Add support for `returnIDParam` in the initial request from the SP #65

Open WillemElbers opened 4 years ago

WillemElbers commented 4 years ago

As specified in https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery-cd-02.html, the SP can include a returnIDParam parameter to indicate the parameter name that should be appended to value of the return to signal back the selected IDP entityID.

From the spec:

HTTP Request to Discovery Service
In the first step, a requesting service provider redirects the user agent to the discovery service with an HTTP GET request.

The following parameter MUST be present on the query string (and URL-encoded):

entityID

The unique identifier of the service provider the end user is (or will be) interacting with, following successful authentication by an identity provider.

The following parameters MAY be present:

return

A URL, which MAY itself include a query string. However, such a query string MUST NOT contain a parameter with the same name as the value of the returnIDParam parameter in the request (see below) or the name "entityID" if no returnIDParam parameter is supplied. (This guards against the possibility of a multiply-valued query string parameter in the response.)

The discovery service MUST redirect the user agent to this location in response to this request (see section 2.4.3). If metadata is used (as in section 2.5), then this parameter MAY be omitted; the return location MUST then be based on the default <idpdisc:DiscoveryResponse> element. Otherwise, if metadata is not used, then this parameter becomes mandatory and MUST be present.

...

returnIDParam

A parameter name used to return the unique identifier of the selected identity provider to the original requester. If this parameter is omitted, it defaults to a value of "entityID". This parameter can be used to customize the response to the service provider so that software relying on alternate approaches to discovery can be utilized in conjunction with this protocol.
...