Uploaded image for project: 'Identity Gateway'
  1. Identity Gateway
  2. OPENIG-2827

Understand extent of support for AM (policy decision) advices

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 6.0.0, 6.1.0
    • Fix Version/s: None
    • Component/s: Core, OpenAM
    • Labels:
      None
    • Sprint:
      OpenIG Sprint 132, OpenIG Sprint 134, OpenIG Sprint 135
    • Story Points:
      5

      Description

      Get a full understanding of what we consider to be supported advices. This will involve testing all the different kinds of advices we get and work out what we definitively do not support. On the face of it a lot of the policies are tested on the AM side (e.g. properties) so we should be able to support them (if we did not limit ourselves).

      Here's a starter list:

      • Active Session Time = test against max session time (session info)
      • Current session properties = no advices - so should be supported
      • Identity Membership - maybe not supported as we don't pass user info in resources.
      • IPv4 Address/ DNS Name = no advices - so should be supported
      • IPv6 Address/ DNS Name = no advices - so should be supported
      • LDAP Filter Condition = no advices - so should be supported
      • OAuth2 scope = no advices - so should be supported
      • Resource/Environment/IP Address = unclear
      • Script = Seemingly no specific data required so should be supported
      • Time = no advices - so should be supported

      N.B. The AM docs say this:

      When policy evaluation denials occur against the following conditions, AM does not return any advice:

      • IPv4
      • IPv6
      • LDAPFilter
      • OAuth2Scope
      • SessionProperty
      • SimpleTime

      Notes:

      • I've not reviewed the new AuthenticateToTree but, again, I suppose we just return the value to AM and await the result.
      • We may decide to remove the "supported advices" checks in `AbstractConditionAdviceFilter` and just by default return advices to AM.

        Attachments

          Activity

            People

            Assignee:
            wayne.morrison Wayne Morrison
            Reporter:
            wayne.morrison Wayne Morrison
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated: