Add note in breaking changes for nameid_format #77785
Conversation
We changed the default for `nameid_format` in 8.0 in elastic#44090 but did not add anything to the breaking changes in the release notes. This change amends that.
jkakavas
added
>docs
elasticmachine
added
Team:Docs
|
Pinging @elastic/es-security (Team:Security) |
|
Pinging @elastic/es-docs (Team:Docs) |
There was a problem hiding this comment.
I left some non-blocking nits. The only major suggestion I have is about relocating this section. Feel free to ignore or cherry-pick the other stuff as wanted.
I'm also not as experienced with security or SAML as @lockewritesdocs. If there are any conflicts, I'll defer to him.
| ===== The default value of `nameid_format` setting has been removed. | ||
|
|
There was a problem hiding this comment.
I'd remove this heading (keep the anchor) and relocate these changes just below the section for The transport.profiles.*.xpack.security.type setting has been removed.
| ===== The default value of `nameid_format` setting has been removed. |
There was a problem hiding this comment.
Agreed! I'll implement that change.
| The default value has now been removed. This means that {es} will be default | ||
| create SAML Authentication Requests that do not put forward such requirements | ||
| to the Identity Provider. | ||
|
|
||
| If you want to retain the previous behavior, you can set `nameid_format` | ||
| to `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`. |
There was a problem hiding this comment.
I wonder if we can remove the second sentence.
| The default value has now been removed. This means that {es} will be default | |
| create SAML Authentication Requests that do not put forward such requirements | |
| to the Identity Provider. | |
| If you want to retain the previous behavior, you can set `nameid_format` | |
| to `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`. | |
| This default has been removed. To retain the previous default behavior, set | |
| `nameid_format` to `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`. |
There was a problem hiding this comment.
I don't think it makes sense to remove this. This is the essence of what changes and what this change means.
|
🤦 Forgot to ask in my review: Do we emit a deprecation warning for users that currently use the default? If so, we should also add a deprecation notice to the breaking changes for that release like these: I didn't see one in the 7.x branch. This will let us link to the notice from the deprecation info API. |
Thanks James! Co-authored-by: James Rodewig <[email protected]>
There was a problem hiding this comment.
Appreciate the assistance @lockewritesdocs but please let the author of a PR have the chance to go through suggested changes and accept/decline/comment. I think this simplifies the flow for everyone involved 🙏
| `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`. This default created | ||
| authentication requests that would require the IdP to release `NameID` with a | ||
| transient format. | ||
| The default value has now been removed. This means that {es} will be default |
There was a problem hiding this comment.
| The default value has now been removed. This means that {es} will be default | |
| The default value has now been removed. This means that {es} will by default |
| to `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`. | ||
|
|
||
| *Impact* + | ||
| To avoid issues, explicitly configure `nameid_format`. If you don't configure |
There was a problem hiding this comment.
This is not what I am trying to say. If we instruct everyone to set this value, we might as well leave the default in place. What I am trying to say is that "this should probably be ok, but if you know you want the old behavior or you don't know how your IDP is configured but it was working so far and you don't care to try, set this setting to this value explicitly"
| In SAML, Identity Providers (IdPs) either release a `NameID` or attempt to | ||
| conform with the requirements of a Service Provider (SP). The SP declares its | ||
| requirements in the `NameIDPolicy` of an authentication request. In {es}, the | ||
| `nameid_format` SAML realm setting controls the `NameIDPolicy`. |
There was a problem hiding this comment.
| In SAML, Identity Providers (IdPs) either release a `NameID` or attempt to | |
| conform with the requirements of a Service Provider (SP). The SP declares its | |
| requirements in the `NameIDPolicy` of an authentication request. In {es}, the | |
| `nameid_format` SAML realm setting controls the `NameIDPolicy`. | |
| In SAML, Identity Providers (IdPs) can be either statically configured to release a `NameID` | |
| with a specific format, or configured to try to conform with the requirements of Service Provider (SP) | |
| The SP declares its requirements in the `NameIDPolicy` element of a SAML Authentication Request. | |
| In {es}, the `nameid_format` SAML realm setting controls the `NameIDPolicy` value. |
This is where this PR is coming from: #77276 |
I'm sorry @jkakavas. I'm trying to work too quickly. I'll incorporate your changes and push an update. |
|
Thanks @jkakavas @lockewritesdocs! @lockewritesdocs Can you ensure we also add a deprecation notice for this change to the related 7.x branch? |
jrodewig
dismissed
their stale review
Dipping out to defer to Adam. Thanks!
Co-authored-by: Tim Vernum <[email protected]>
Co-authored-by: Ioannis Kakavas <[email protected]>
* upstream/master: (24 commits) Implement framework for migrating system indices (elastic#78951) Improve transient settings deprecation message (elastic#79504) Remove getValue and getValues from Field (elastic#79516) Store Template's mappings as bytes for disk serialization (elastic#78746) [ML] Add queue_capacity setting to start deployment API (elastic#79433) [ML] muting rest compat test issue elastic#79518 (elastic#79519) Avoid redundant available indices check (elastic#76540) Re-enable BWC tests TEST Ensure password 14 chars length on Kerberos FIPS tests (elastic#79496) [DOCS] Temporarily remove APM links (elastic#79411) Fix CCSDuelIT for skipped shards (elastic#79490) Add other time accounting in HotThreads (elastic#79392) Add deprecation info API entries for deprecated monitoring settings (elastic#78799) Add note in breaking changes for nameid_format (elastic#77785) Use 'migration' instead of 'upgrade' in GET system feature migration status responses (elastic#79302) Upgrade lucene version 8b68bf60c98 (elastic#79461) Use Strings#EMPTY_ARRAY (elastic#79452) Quicker shared cache file preallocation (elastic#79447) [ML] Removing some code that's obsolete for 8.0 (elastic#79444) Ensure indexing_data CCR requests are compressed (elastic#79413) ...
We changed the default for
nameid_formatin 8.0 in #44090 butdid not add anything to the breaking changes in the release notes.
This change amends that.
Preview link: https://elasticsearch_77785.docs-preview.app.elstc.co/guide/en/elasticsearch/reference/master/migrating-8.0.html#breaking_80_security_changes