Add DisplayName to the <samlp:Extensions> of the Stepup callout AuthnRequest
User story
As a user, I want to see the name of the service I am logging into during second-factor authentication, so that I can verify I am authenticating for the right application and detect unexpected or malicious authentication attempts.
Background
This is the EB side of a broader initiative to show the service name during Stepup authentication. See the RFC for the full design: OpenConext/Stepup-Gateway#587.
EB acts as an SFO application connecting to Stepup-Gateway on behalf of thousands of services. Rather than showing a generic proxy name (e.g. "OpenConext"), we want to pass the actual service name to Stepup so it can be shown in the 2FA UI, push notifications, and SMS messages.
EB already knows the service name via the name:en and name:nl fields of the SP entity (saml20_sp) or RP entity (oidc10_rp) from OpenConext-manage, pushed to EB via the metadata push API.
What needs to be done
Introduce a feature flag feature_stepup_send_service_name in EB (following the existing feature flag pattern in config/packages/parameters.yml.dist).
When enabled, for every Stepup callout AuthnRequest, EB MUST add an mdui:UIInfo element to the <samlp:Extensions> containing a mdui:DisplayName for each available language. Example:
<samlp:Extensions>
<mdui:UIInfo>
<mdui:DisplayName xml:lang="en">Online learning environment</mdui:DisplayName>
<mdui:DisplayName xml:lang="nl">Electronische leeromgeving</mdui:DisplayName>
</mdui:UIInfo>
</samlp:Extensions>Acceptance criteria
Related
Add DisplayName to the
<samlp:Extensions>of the Stepup callout AuthnRequestUser story
As a user, I want to see the name of the service I am logging into during second-factor authentication, so that I can verify I am authenticating for the right application and detect unexpected or malicious authentication attempts.
Background
This is the EB side of a broader initiative to show the service name during Stepup authentication. See the RFC for the full design: OpenConext/Stepup-Gateway#587.
EB acts as an SFO application connecting to Stepup-Gateway on behalf of thousands of services. Rather than showing a generic proxy name (e.g. "OpenConext"), we want to pass the actual service name to Stepup so it can be shown in the 2FA UI, push notifications, and SMS messages.
EB already knows the service name via the
name:enandname:nlfields of the SP entity (saml20_sp) or RP entity (oidc10_rp) from OpenConext-manage, pushed to EB via the metadata push API.What needs to be done
Introduce a feature flag
feature_stepup_send_service_namein EB (following the existing feature flag pattern inconfig/packages/parameters.yml.dist).When enabled, for every Stepup callout AuthnRequest, EB MUST add an
mdui:UIInfoelement to the<samlp:Extensions>containing amdui:DisplayNamefor each available language. Example:Acceptance criteria
feature_stepup_send_service_nameis introduced, disabled by defaultmdui:UIInfoelement withmdui:DisplayNameentries forenandnlis added to the<samlp:Extensions>of the Stepup callout AuthnRequestname:enandname:nlof the SP/RP entity from OpenConext-managemdui:DisplayNameelement is omitted (no empty values)Related