Get a full understanding of what we consider to be supported advices. This will involve testing all the different kinds of advices we get and work out what we definitively do not support. On the face of it a lot of the policies are tested on the AM side (e.g. properties) so we should be able to support them (if we did not limit ourselves).
Here's a starter list:
- Active Session Time = test against max session time (session info)
- Current session properties = no advices - so should be supported
- Identity Membership - maybe not supported as we don't pass user info in resources.
- IPv4 Address/ DNS Name = no advices - so should be supported
- IPv6 Address/ DNS Name = no advices - so should be supported
- LDAP Filter Condition = no advices - so should be supported
- OAuth2 scope = no advices - so should be supported
- Resource/Environment/IP Address = unclear
- Script = Seemingly no specific data required so should be supported
- Time = no advices - so should be supported
N.B. The AM docs say this:
When policy evaluation denials occur against the following conditions, AM does not return any advice:
- I've not reviewed the new AuthenticateToTree but, again, I suppose we just return the value to AM and await the result.
- We may decide to remove the "supported advices" checks in `AbstractConditionAdviceFilter` and just by default return advices to AM.