Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Describe the SAML Response in greater detail #497

Open
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

vrajmohan
Copy link

@vrajmohan vrajmohan commented Sep 19, 2024

The existing documentation for the SAML Authentication response
(https://developers.login.gov/saml/authentication/#authentication-response)
is low on detail - it just states that the response contains encrypted
data. The example provided is for the encrypted response
and does not help in understanding the payload.

A question asked in Slack
could not be easily answered without digging through the actual code and tests.

This change:

  • provides a description of the actual data elements returned
  • adds an example of the decrypted response

@vrajmohan vrajmohan marked this pull request as draft September 19, 2024 17:42
@vrajmohan vrajmohan requested a review from nprimak September 19, 2024 17:42
Comment on lines 179 to 185
<p>{{ response_elements | markdownify }}</p>
<p>For example, {{ decrypted_response | markdownify }}</p>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

markdown inside HTML is not automatic but you can do:

Suggested change
<p>{{ response_elements | markdownify }}</p>
<p>For example, {{ decrypted_response | markdownify }}</p>
<div markdown="1">
## markdown content here
</div>

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, that was what I was looking for!

@vrajmohan
Copy link
Author

Struggled with deciding between Markdown and HTML, open to suggestions.

@vrajmohan vrajmohan force-pushed the vm-update-saml-response branch from 01d662d to b25f87c Compare September 20, 2024 15:47
@vrajmohan vrajmohan marked this pull request as ready for review September 20, 2024 17:00
@vrajmohan vrajmohan changed the title [WIP] Describe the SAML Response in greater detail Describe the SAML Response in greater detail Sep 20, 2024
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"
InResponseTo="_6fca7b78-9ab7-49f5-bd62-18c48eac3c68"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_7f3d8cd9-d3f8-4b47-a571-5272810d5073" Version="2.0" IssueInstant="2024-09-18T16:20:36Z" Destination="https://sp.int.identitysandbox.gov/auth/saml/callback" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_bf054c05-5b2c-4773-a6a9-9ba075a87bc9">
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Question] Are the Response attributes intentionally placed on a single line? Is there a benefit over the existing layout?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It wasn't intentional. It is what SAML Tool's XML formatter gave me. It does substitute vertical scrolling (which I prefer) for horizontal scrolling. Do we have a preference?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good question, I only noticed that it was a change. I don't think either way is particularly readable.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In my opinion, the horizontal scrolling is better as it allows you to understand the structure from the "pretty-printed" indentation. Would anyone else like to weigh in with their opinions?

Note: Existing content in https://developers.login.gov/saml/authentication/#example-specifying-ial-aal-and-attributes follows horizontal scrolling.

<ds:X509Certificate>
MIIDgDCCAmgCCQCwpieA9CKuDDANBgkqhkiG9w0BAQUFADCBgTEYMBYGA1UEAwwP
U1AgU2luYXRyYSBEZW1vMQwwCgYDVQQKDANHU0ExDDAKBgNVBAsMAzE4ZjETMBEG
<!-- X509Certificate elided -->
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Request] Could you use a more common word than "elide"?

"abridged", "truncated", "clipped", "hidden". I think elide isn't a commonly used word: for instance, this is not how I use it (whether or not I use it correctly).

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I'll go with truncated.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correction, abridged is more accurate.

<ds:SignatureValue>XT9CguQWKBvbqVsJ+Khu5/eyl09JVhHkUuyFHa98ViZUBVgL/Hc9gzwUr43CA7OVOO+uMfCc6WvPKeADF9w9kqJaUgsi8LiKC/nfDCY6+UiRoep2zmXyFJRAvrD/HbgVfayx/4Nn3ponRPZ/T/oezhimssFF66m+/UAwJekO9kuob+5n+uaOiFOMuHEycSdASH/iFnTSR1ajdo6AaLomG6YT8zJbuRzcKmesouAKPiQCJFt2cgstEs1zw8dvTgmozy4qd/0aMiZ52eGcXoORD8VZOQiY63HT8F4wkhk5eGU05sFcyfpg7dXNtKOfCddHwyngmgmPhpRN30ew5njg7w==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIID+TCCAuGgAwIBAgIUUS6s9Rb+KY0fT0qKKgqPPJij/HMwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlVTMR0wGwYDVQQIDBREaXN0cmljdCBvZiBDb2x1bWJpYTETMBEGA1UEBwwKV2FzaGluZ3RvbjEMMAoGA1UECgwDR1NBMRIwEAYDVQQLDAlMb2dpbi5nb3YxJjAkBgNVBAMMHWxvZ2luLmdvdi5pZGVudGl0eXNhbmRib3guZ292MB4XDTI0MDEyMjIwMTcwN1oXDTI1MDQwMTIwMTcwN1owgYsxCzAJBgNVBAYTAlVTMR0wGwYDVQQIDBREaXN0cmljdCBvZiBDb2x1bWJpYTETMBEGA1UEBwwKV2FzaGluZ3RvbjEMMAoGA1UECgwDR1NBMRIwEAYDVQQLDAlMb2dpbi5nb3YxJjAkBgNVBAMMHWxvZ2luLmdvdi5pZGVudGl0eXNhbmRib3guZ292MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhmcFFn4b56vHlGBQ1Lx6AXz17sqKnCc6sJ+9csP1RtQBI0NpPHB2z9Di1PNk/ElK7V7yh3uMu4FJYw30GZFUl2f/ttsDkNHrwfh/jzbMNjrOSc0P25oem4uOUfeGH9jtMhKa+HZLOaOmcyWFKkYR2mwacEbQJ1CWviHtP8AzHUPSbHklAmusRLuygTjq0+QRJZgSezGqwU1L3ixPq+gMzPtMS+fxsMOVo2eosip440gz4rcqUUogtD2hV8EQi3+GIkGYuMTS81ug/385TCPEhzWMnNmDi3HykOZeRNb4GfCYw0Yx+v+cb7BPD5EdxUHNwliHvSiRAeYqLjBjuNUfKQIDAQABo1MwUTAdBgNVHQ4EFgQUusictYnNM2TbIt5STz2lkYN1sI8wHwYDVR0jBBgwFoAUusictYnNM2TbIt5STz2lkYN1sI8wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEATuLF4kHeP7FY9Wzm3DfF+m/5wUhJEtbsF8J9Wq8duhQ4/gtZVJgMDUKLsnSDLCtWiRlsFXquI8tlo32JsVo5NfZI9WYsub7192iCYpqE+x5G+94tt5vAayoF7GKGPxatyldxAQUz7RUzwqas7NCYXQ0p7wZrMqF8z2yvaUgL55v8TJIb7RP+D8b47Cmzx7IYmx3Co30vZWysQe61Bv880hG11YJsBAc0hmyWlokJYZZVm+xcjKkm6aFyyAbeCe0Kh68QU7f9YkpFv/sW2RIvZ/Z0gvxjJE+YJBwOwPDDHdkb0ZmKOJvlaabi5lkTZvUtTHXb5Hu7DxRRt91dm77MlQ==</ds:X509Certificate>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Nitpick] <ds:X509Certificate> open and close tags could be moved to different lines from the text contents (add linebreaks).

This would make it consistent with response_example.md (I'm also not sure how this affects syntax highlighting)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll take a crack at it.

<p markdown="1">After the user authenticates, Login.gov will redirect and POST a form back to your registered Assertion Consumer Service URL with a hidden form control named `SAMLResponse`.</p>
<p markdown="1">`SAMLResponse` contains a base64-encoded XML payload that contains data that is encrypted with the service provider's public key.</p>
<p markdown="1"> The decrypted `SAMLResponse` contains a `<saml:Assertion>` element, which in turn contains the following elements: </p>
<dl>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Praise] Description List in the wild! Thanks for using semantic HTML

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm still unhappy about mixing Markdown and HTML.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I find CMSes to be consistently bizarre in their authoring choices. The ones I've seen that are very straightforward for the author tend to be shockingly expensive. (or, I guess, we could just host a wiki)

@vrajmohan vrajmohan force-pushed the vm-update-saml-response branch from 88a2ab1 to 02cf5de Compare September 20, 2024 21:14
<dt markdown="1">`AuthnStatement`</dt>
<dd>Contains the AAL that was used.</dd>
</dl>
<p>For example, {{ decrypted_response | markdownify }}</p>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<p>For example, {{ decrypted_response | markdownify }}</p>
<p>For example: {{ decrypted_response | markdownify }}</p>

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i am wondering if it is more useful to have this example in the example tab than what is currently there. (although to be honest i can't see someone spending a lot of time looking at either, since as noted above by aj, it's pretty unreadable in its current state)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought about that and felt that it was also useful to retain an example of the encrypted response.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think maybe it would make more sense than as adding another tab to the thing on the right - it doesn't really make sense to have an XML example in the body and in the tab. we could have Encrypted Response and Decrypted Response.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately, that's a bigger lift. There's a lot of JavaScript that assumes that the "code" section has only 2 tabs.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

then i think we should pause on this -- it'll need a UX/content review, and i hesitate to add that to ursula's plate.

@vrajmohan vrajmohan force-pushed the vm-update-saml-response branch from 02cf5de to 431b9b4 Compare September 24, 2024 17:03
@Sgtpluck
Copy link
Contributor

@vrajmohan please add more details in the opening comment about what this change is, what problem it's solving/why it's needed

@mmagsa
Copy link
Contributor

mmagsa commented Sep 26, 2024

Please add more detail as suggested by @Sgtpluck. Since this is a relatively significant change, we'll need UX to take a look. Once there's enough context in the PR description, I'll add a ticket to our backlog.

The existing documentation for the SAML Authentication response
(https://developers.login.gov/saml/authentication/#authentication-response)
is low on detail - it just states that the response contains encrypted
data. The example provided is for the _encrypted_ response
and does not help in understanding the payload.

This change attempts to:
- provide a description of the actual data elements returned
- adds an example of the decrypted response
Introduces horizontal scrolling
@vrajmohan vrajmohan force-pushed the vm-update-saml-response branch from 431b9b4 to 1851500 Compare September 26, 2024 14:41
@Sgtpluck
Copy link
Contributor

@vrajmohan sorry, to be clearer, please update the initial PR comment where instead of describing the ticket you wrote:

Still figuring out why I can't simply use markdown and need to assign complex fragments using {% capture %} and render with markdownify

When you open a PR, the description needs to clear to anyone looking at this PR, not just folks who know to look at the commits. Thanks!

@Xlabjun Xlabjun mentioned this pull request Dec 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants