v26.2.22

Fix cross-tenant identity provider selection via idp_hint in Polis

The idp_hint parameter on the SAML Identity Federation and SSO endpoints selected an upstream identity provider connection by id without checking that the connection belonged to the requesting tenant and product. On a multi-tenant deployment, a co-tenant could supply the id of a connection in their own tenant as idp_hint for another tenant's federation app, routing the login to an identity provider they control and obtaining a Polis-signed assertion audienced to the victim's downstream service provider.

Polis now scopes the hinted connection to the requesting flow. A hint is accepted only when the connection belongs to the requested tenant and product, to one of a multi-tenant federation app's tenants, or — for IdP-initiated SSO — to the identity provider that issued the response. Out-of-scope hints are rejected with 403. The upstream-response callback re-checks that the selected connection is within the session's tenant scope.

In-scope use of idp_hint, including for multi-tenant federation apps, is unchanged.

v26.2.22​

Fix cross-tenant identity provider selection via idp_hint in Polis​

v26.2.22

Fix cross-tenant identity provider selection via idp_hint in Polis