Make Users unique to IDP

[Neitsch]

Hi, I noticed that the user creation/lookup is solely based on the name id that the IDP provides. This could cause issues if multiple IDPs return the same NameId (be it malicious or just a bad way to generate the ids). Would it be possible to provide a way to generate the user id more dynamically? My suggestion would be to allow lookup_attr[1] in auth.py:90 to be function that takes saml_auth and final_map as arguments (and possibly the provider name?). Happy to provide a PR if you agree.

I do acknowledge that IDP providers should generally be trusted, and sometimes you even want to merge accounts that different IDPs provide, but in my case I am a bit paranoid about IDPs behaving badly.

[juliedavila]

I’m open to it. I’d want the current behavior to continue to be the default but would be fine for a way to opt-in to the behavior you describe.

On Sun, Apr 11, 2021 at 2:24 PM Nigel Schuster ***@***.***> wrote: Hi, I noticed that the user creation/lookup is solely based on the name id that the IDP provides. This could cause issues if multiple IDPs return the same NameId (be it malicious or just a bad way to generate the ids). Would it be possible to provide a way to generate the user id more dynamically? My suggestion would be to allow lookup_attr[1] in auth.py:90 to be function that takes saml_auth and final_map as arguments (and possibly the provider name?). Happy to provide a PR if you agree. I do acknowledge that IDP providers should generally be trusted, and sometimes you even want to merge accounts that different IDPs provide, but in my case I am a bit paranoid about IDPs behaving badly. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#44>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABDSWYVGOBSFX7AGSTWNB7DTIHSMRANCNFSM42X5YJ3Q> .

-- Julie Davila (she/her) Co-founder and CEO ZibaSec, Inc https://zibasec.io 703.249.9388