Jul 16, 2019, 10:10:45 AM7/16/19
to OpenConext Community
Engine and manage currently support "workflow states" for entities, the
default available states are for historical reasons named "prodaccepted"
What it does is that only two entities that have the same workflow state
can work together, that is, only IdPs in state "A" can log into SPs in
state "A", and those IdPs cannot login to SPs in state "B".
Problem with this functionality is that it's rather partially implemented.
EB and Manage know about it, but other parts of the system do not. So e.g.
OIDC RPs or Stepup entities must always have state 'prodaccepted' to work.
We have also found that it's very confusing to the remote entity
administrators. They cannot see the state of their entity and therefore
are confused why some IdPs work and others don't. And how this relates to
ACLs. Because limitations of which IdP can access which SP can of course
also already be defined with the ACLs. So we've stopped using them.
Workflow states complicate the EB processing code a lot. We think there's
quite significant savings to make by obsoleting the feature, and we
believe that EB as the core of the platform should be as clean and
straightforward as possible.
Of course we'd be interested to hear thoughts of others about this feature.