Versions Compared

Old Version 9

changes.mady.by.user Steve Ellis

Saved on

compared with

New Version Current

changes.mady.by.user Steve Ellis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The scope of testing has increased now that we are supporting refresh token rotation for SAML. This support was added in the Poppy release. Instead however front end support will not reach FOLIO until Q. This means that in Q, instead of testing only the two bindings (REDIRECT and POST) we need to test the two bindings for both RTR enabled mod-login-saml and non-RTR enabled mod-login-saml. Currently the default for mod-login-saml is for RTR support. In order to configure non-RTR support (also referred to as legacy token support) a configuration needs to be added to mod-login-saml for a given tenant via mod-login-saml's configuration endpoint as documented in the RAML here.

The four testing scenarios are documented in the following table.

Scenario

Stripes has RTR

Stripes configuration

Binding

Configuration

Required

required

Configuration

Mock IDP

Notes

1

True

useSecureTokens: true 

POST

Yes

Yes configuration is needed: SamlConfigRequest.callback = "callback-with-expiry"

SSOCircle

Configuration on backend is required because it is not the default. Stripes requires configuration.

2

False

useSecureTokens: false

POST

No

No configuration
for legacy
neededSSOCircle

No configuration on backend is required because this is the default for backend. Stripes requires configuration because its default is not to do RTR.

2

False

POST

3

True

useSecureTokens: true 

REDIRECT

Yes

Yes configuration is needed
for legacy
: SamlConfigRequest.callback = "callback-with-expiry"
SSOCircle
samltest.id

Configuration on backend is required because it is not the default. Stripes requires configuration.

4

3

False

True

useSecureTokens: false

REDIRECT

No

No configuration

for legacy

needed

samltest.id

No configuration on backend is required because this is the default for backend. Stripes requires configuration because its default is not to do RTR.

4

False

REDIRECT

Yes

Yes configuration is needed for legacy: SamlConfigRequest.callback = "callback"

samltest.id

Configuration is required on backend because it is not the default. Stripes requires configuration.

A successful test for each scenario means that the user is able to login via the IDP via stripes without error and successfully make requests to the FOLIO back-end via stripes.

Configuration for

...

RTR mode

...

When testing legacy RTR mode (meaning, when running without with RTR enabled), the callback endpoint needs to be configured by providing a SamlConfigRequest via PUT  to the saml/configuration  endpoint of the module. See the callback property of the schema here. The callback has two forms: callback  and callback-with-expiry . When the callback is configured as callback-with-expiry  the user will be provided a legacy non-an expiring token. When the callback is not configured, the callback will be callback-with-expiry  callbacand the user will be provided an non-expiring refresh token and access token pair as HttpOnly  cookiesaccess token.

Note, when

Jira Legacy
serverSystem JIRA
serverId01505d01-b853-3c2e-90f1-ee9b165564fc
keyUITEN-272
is complete there will be no need to configure the SAML callback via the API, since stripes will handle this configuration automatically.

It may help to be familiar with the changes for refresh token rotation. Adding support for refresh token rotation has increased the scope of what needs to be tested.

...