Skip to content

Allow usage of relative URIs in AuthnContextClassRef#3281

Open
glatzert wants to merge 8 commits intoAzureAD:devfrom
jguzdv:ottenhus/allow-relative-authnContextUri
Open

Allow usage of relative URIs in AuthnContextClassRef#3281
glatzert wants to merge 8 commits intoAzureAD:devfrom
jguzdv:ottenhus/allow-relative-authnContextUri

Conversation

@glatzert
Copy link
Copy Markdown

@glatzert glatzert commented Jul 18, 2025

Allow usage of relative URIs in AuthnContextClassRef

Introduces a AppContext switch, that allows to cirumvent a condition that checks for Uri.IsAbsoulte on Saml2AuthenticationContext.ClassReference

Fixes #3279

@brentschmaltz

@glatzert glatzert marked this pull request as ready for review July 18, 2025 07:04
@glatzert glatzert requested a review from a team as a code owner July 18, 2025 07:04
@pmaytak pmaytak requested a review from Copilot July 25, 2025 15:53
Copilot AI reviewed Jul 25, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces a new AppContext switch to allow relative URIs in SAML2 AuthnContextClassRef elements. Currently, the library enforces that ClassReference values must be absolute URIs, but this change provides a configuration option to bypass this validation when needed.

  • Adds a new AppContext switch AllowRelativeUrisInSaml2AuthnContext to control URI validation behavior
  • Modifies the Saml2AuthenticationContext.ClassReference setter to conditionally allow relative URIs
  • Includes comprehensive test coverage with proper test isolation through collection definitions

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
AppContextSwitches.cs Adds the new switch definition and reset logic
Saml2AuthenticationContext.cs Updates ClassReference validation to respect the new switch
Saml2AuthenticationContextWithAppContextTests.cs New test file to verify the switch functionality
Saml2AuthenticationContextTests.cs Adds collection attribute for test isolation
Saml2AuthenticationContextCollectionDefinition.cs Defines test collection with disabled parallelization

pmaytak
pmaytak reviewed Jul 25, 2025
View reviewed changes
@pmaytak
Copy link
Copy Markdown
Collaborator

pmaytak commented Jul 25, 2025

Once this is released, we'll need to update: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/wiki/App-Context-Switches-in-IdentityModel

@glatzert glatzert force-pushed the ottenhus/allow-relative-authnContextUri branch from 80c3dc1 to d494769 Compare July 27, 2025 09:29
@glatzert
Copy link
Copy Markdown
Author

glatzert commented Jul 27, 2025

I updated the suggestions and rebased as per Githubs request - I hope I did not break anything in your workflow by doing that 🙈

I was sick last week, so I needed a liitle bit.
Nevertheless I found one thing about the test cases - if they run in Visual Studio simultanously for each .net version, some will fail - I think the xunit runner does not isolate the AppContext against each other in that case. Running the tests for a single .net version will work as expected.

@glatzert
Copy link
Copy Markdown
Author

glatzert commented Aug 7, 2025

Can I do something about the (probably) shared AppContext in the different dotnet versions or did i miss something in older .net runtimes?

@glatzert
Copy link
Copy Markdown
Author

glatzert commented Feb 11, 2026

After being out-of-office for quite some time now, I wanted to follow up about this change - anything that can be done from my side to make it happen?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pmaytak pmaytak pmaytak approved these changes

+1 more reviewer

@brentschmaltz brentschmaltz brentschmaltz approved these changes

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature Request] Allow relaxed parsing of URIs in SAML2

4 participants

@glatzert @pmaytak @brentschmaltz