Review status code caused by SAML exceptions #57331
Labels
>enhancement
:Security/Authentication
Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)
Team:Security
Meta label for security team
Comments
ywangd
added
>enhancement
:Security/Authentication
|
Pinging @elastic/es-security (:Security/Authentication) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The method
SamlUtils#samlException(String msg, Object... args)is used to signify a SAML exception in many places. A large part of this exception is catched in SamlRealm#authenticate, where it is handled internally and not exposed directly to users.There are however usages in many other places where this exception gets ultimately translated into a
500status code, which does not always suitable. For example, when a SAML Request is not signed, it feels more appropriate to return400. This issue proposes to review these usages and rationalise the status code in case of error.The text was updated successfully, but these errors were encountered: