4.2.0 thoughts

@jproctor,
I like the idea that there would be a check to see if security kit is blocking the login on the AssertionConsumerService Url because of the CSRF setting in Security Kit.In the past I have run into that on a few of the sites I work with. I have been testing the module on a few D10 sites I have in testing and haven't run into any issues regarding Drupal 10. I think we can push out a new 4.2.0 version now and the release 4.2.1 with any additional fixes.

I totally agree there should be a check, I was just wondering whether it needed to be a service that fired on every request. I was thinking we could do it inline in the IdP form and that would be good enough.

On consideration, that wouldn’t catch the case that SecKit is installed/configured after the IdP is already set up. Without looking I’m willing to bet there’s not a hook or event when SecKit’s config gets modified, so a service might actually be the only way to catch the problem.

You want to merge that last round of code cleanup 3335453 and tag the release? I can do it later this week but I’m swamped for the next couple days.

It would have to be an EventSubscriber fired on every request like this one checking for certificate expiration.

there I go with more mistakes, I tagged 4.2.0 and created the release, then realized that I hadn't done a git pull. so i then released 4.2.1.

We should create tickets for these two items

• Log exceptions from \OneLogin\Saml2\Response::isValid()
• Check if the Security Kit module is enabled

and probably create a meta ticket for 4.3.0 to list the tickets for that release.

Since 4.2.0 has been released I am closing this ticket, I have moved outstanding items to 🌱 4.3.0 roadmap Active

Automatically closed - issue fixed for 2 weeks with no activity.