-
Notifications
You must be signed in to change notification settings - Fork 209
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Describe the SAML Response in greater detail #497
base: main
Are you sure you want to change the base?
Conversation
_pages/saml/authentication.md
Outdated
<p>{{ response_elements | markdownify }}</p> | ||
<p>For example, {{ decrypted_response | markdownify }}</p> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
markdown inside HTML is not automatic but you can do:
<p>{{ response_elements | markdownify }}</p> | |
<p>For example, {{ decrypted_response | markdownify }}</p> | |
<div markdown="1"> | |
## markdown content here | |
</div> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you, that was what I was looking for!
Struggled with deciding between Markdown and HTML, open to suggestions. |
01d662d
to
b25f87c
Compare
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" | ||
InResponseTo="_6fca7b78-9ab7-49f5-bd62-18c48eac3c68" | ||
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> | ||
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_7f3d8cd9-d3f8-4b47-a571-5272810d5073" Version="2.0" IssueInstant="2024-09-18T16:20:36Z" Destination="https://sp.int.identitysandbox.gov/auth/saml/callback" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_bf054c05-5b2c-4773-a6a9-9ba075a87bc9"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[Question] Are the Response attributes intentionally placed on a single line? Is there a benefit over the existing layout?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It wasn't intentional. It is what SAML Tool's XML formatter gave me. It does substitute vertical scrolling (which I prefer) for horizontal scrolling. Do we have a preference?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good question, I only noticed that it was a change. I don't think either way is particularly readable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In my opinion, the horizontal scrolling is better as it allows you to understand the structure from the "pretty-printed" indentation. Would anyone else like to weigh in with their opinions?
Note: Existing content in https://developers.login.gov/saml/authentication/#example-specifying-ial-aal-and-attributes follows horizontal scrolling.
<ds:X509Certificate> | ||
MIIDgDCCAmgCCQCwpieA9CKuDDANBgkqhkiG9w0BAQUFADCBgTEYMBYGA1UEAwwP | ||
U1AgU2luYXRyYSBEZW1vMQwwCgYDVQQKDANHU0ExDDAKBgNVBAsMAzE4ZjETMBEG | ||
<!-- X509Certificate elided --> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[Request] Could you use a more common word than "elide"?
"abridged", "truncated", "clipped", "hidden". I think elide isn't a commonly used word: for instance, this is not how I use it (whether or not I use it correctly).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, I'll go with truncated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correction, abridged is more accurate.
<ds:SignatureValue>XT9CguQWKBvbqVsJ+Khu5/eyl09JVhHkUuyFHa98ViZUBVgL/Hc9gzwUr43CA7OVOO+uMfCc6WvPKeADF9w9kqJaUgsi8LiKC/nfDCY6+UiRoep2zmXyFJRAvrD/HbgVfayx/4Nn3ponRPZ/T/oezhimssFF66m+/UAwJekO9kuob+5n+uaOiFOMuHEycSdASH/iFnTSR1ajdo6AaLomG6YT8zJbuRzcKmesouAKPiQCJFt2cgstEs1zw8dvTgmozy4qd/0aMiZ52eGcXoORD8VZOQiY63HT8F4wkhk5eGU05sFcyfpg7dXNtKOfCddHwyngmgmPhpRN30ew5njg7w==</ds:SignatureValue> | ||
<ds:KeyInfo> | ||
<ds:X509Data> | ||
<ds:X509Certificate>MIID+TCCAuGgAwIBAgIUUS6s9Rb+KY0fT0qKKgqPPJij/HMwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlVTMR0wGwYDVQQIDBREaXN0cmljdCBvZiBDb2x1bWJpYTETMBEGA1UEBwwKV2FzaGluZ3RvbjEMMAoGA1UECgwDR1NBMRIwEAYDVQQLDAlMb2dpbi5nb3YxJjAkBgNVBAMMHWxvZ2luLmdvdi5pZGVudGl0eXNhbmRib3guZ292MB4XDTI0MDEyMjIwMTcwN1oXDTI1MDQwMTIwMTcwN1owgYsxCzAJBgNVBAYTAlVTMR0wGwYDVQQIDBREaXN0cmljdCBvZiBDb2x1bWJpYTETMBEGA1UEBwwKV2FzaGluZ3RvbjEMMAoGA1UECgwDR1NBMRIwEAYDVQQLDAlMb2dpbi5nb3YxJjAkBgNVBAMMHWxvZ2luLmdvdi5pZGVudGl0eXNhbmRib3guZ292MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhmcFFn4b56vHlGBQ1Lx6AXz17sqKnCc6sJ+9csP1RtQBI0NpPHB2z9Di1PNk/ElK7V7yh3uMu4FJYw30GZFUl2f/ttsDkNHrwfh/jzbMNjrOSc0P25oem4uOUfeGH9jtMhKa+HZLOaOmcyWFKkYR2mwacEbQJ1CWviHtP8AzHUPSbHklAmusRLuygTjq0+QRJZgSezGqwU1L3ixPq+gMzPtMS+fxsMOVo2eosip440gz4rcqUUogtD2hV8EQi3+GIkGYuMTS81ug/385TCPEhzWMnNmDi3HykOZeRNb4GfCYw0Yx+v+cb7BPD5EdxUHNwliHvSiRAeYqLjBjuNUfKQIDAQABo1MwUTAdBgNVHQ4EFgQUusictYnNM2TbIt5STz2lkYN1sI8wHwYDVR0jBBgwFoAUusictYnNM2TbIt5STz2lkYN1sI8wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEATuLF4kHeP7FY9Wzm3DfF+m/5wUhJEtbsF8J9Wq8duhQ4/gtZVJgMDUKLsnSDLCtWiRlsFXquI8tlo32JsVo5NfZI9WYsub7192iCYpqE+x5G+94tt5vAayoF7GKGPxatyldxAQUz7RUzwqas7NCYXQ0p7wZrMqF8z2yvaUgL55v8TJIb7RP+D8b47Cmzx7IYmx3Co30vZWysQe61Bv880hG11YJsBAc0hmyWlokJYZZVm+xcjKkm6aFyyAbeCe0Kh68QU7f9YkpFv/sW2RIvZ/Z0gvxjJE+YJBwOwPDDHdkb0ZmKOJvlaabi5lkTZvUtTHXb5Hu7DxRRt91dm77MlQ==</ds:X509Certificate> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[Nitpick] <ds:X509Certificate>
open and close tags could be moved to different lines from the text contents (add linebreaks).
This would make it consistent with response_example.md
(I'm also not sure how this affects syntax highlighting)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll take a crack at it.
<p markdown="1">After the user authenticates, Login.gov will redirect and POST a form back to your registered Assertion Consumer Service URL with a hidden form control named `SAMLResponse`.</p> | ||
<p markdown="1">`SAMLResponse` contains a base64-encoded XML payload that contains data that is encrypted with the service provider's public key.</p> | ||
<p markdown="1"> The decrypted `SAMLResponse` contains a `<saml:Assertion>` element, which in turn contains the following elements: </p> | ||
<dl> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[Praise] Description List in the wild! Thanks for using semantic HTML
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm still unhappy about mixing Markdown and HTML.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I find CMSes to be consistently bizarre in their authoring choices. The ones I've seen that are very straightforward for the author tend to be shockingly expensive. (or, I guess, we could just host a wiki)
88a2ab1
to
02cf5de
Compare
_pages/saml/authentication.md
Outdated
<dt markdown="1">`AuthnStatement`</dt> | ||
<dd>Contains the AAL that was used.</dd> | ||
</dl> | ||
<p>For example, {{ decrypted_response | markdownify }}</p> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
<p>For example, {{ decrypted_response | markdownify }}</p> | |
<p>For example: {{ decrypted_response | markdownify }}</p> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i am wondering if it is more useful to have this example in the example
tab than what is currently there. (although to be honest i can't see someone spending a lot of time looking at either, since as noted above by aj, it's pretty unreadable in its current state)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought about that and felt that it was also useful to retain an example of the encrypted response.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i think maybe it would make more sense than as adding another tab to the thing on the right - it doesn't really make sense to have an XML example in the body and in the tab. we could have Encrypted Response
and Decrypted Response
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately, that's a bigger lift. There's a lot of JavaScript that assumes that the "code" section has only 2 tabs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
then i think we should pause on this -- it'll need a UX/content review, and i hesitate to add that to ursula's plate.
02cf5de
to
431b9b4
Compare
@vrajmohan please add more details in the opening comment about what this change is, what problem it's solving/why it's needed |
Please add more detail as suggested by @Sgtpluck. Since this is a relatively significant change, we'll need UX to take a look. Once there's enough context in the PR description, I'll add a ticket to our backlog. |
The existing documentation for the SAML Authentication response (https://developers.login.gov/saml/authentication/#authentication-response) is low on detail - it just states that the response contains encrypted data. The example provided is for the _encrypted_ response and does not help in understanding the payload. This change attempts to: - provide a description of the actual data elements returned - adds an example of the decrypted response
Introduces horizontal scrolling
431b9b4
to
1851500
Compare
@vrajmohan sorry, to be clearer, please update the initial PR comment where instead of describing the ticket you wrote:
When you open a PR, the description needs to clear to anyone looking at this PR, not just folks who know to look at the commits. Thanks! |
The existing documentation for the SAML Authentication response
(https://developers.login.gov/saml/authentication/#authentication-response)
is low on detail - it just states that the response contains encrypted
data. The example provided is for the encrypted response
and does not help in understanding the payload.
A question asked in Slack
could not be easily answered without digging through the actual code and tests.
This change: