Add feature flag to disable IdP-initiated authentication flow

app/config/config.yml

@@ -27,6 +27,7 @@ open_conext_engine_block:
         eb.enable_sso_notification: "%feature_enable_sso_notification%"
         eb.feature_enable_consent: "%feature_enable_consent%"
         eb.enable_sso_session_cookie: "%feature_enable_sso_session_cookie%"
+        eb.feature_enable_idp_initiated_flow: "%feature_enable_idp_initiated_flow%"
         eb.stepup.sfo.override_engine_entityid: "%feature_stepup_sfo_override_engine_entityid%"
 
 

app/config/parameters.yml.dist

@@ -224,6 +224,7 @@ parameters:
     feature_block_user_on_violation: false
     feature_enable_consent: true
     feature_stepup_sfo_override_engine_entityid: false
+    feature_enable_idp_initiated_flow: true
 
     ##########################################################################################
     ## PROFILE SETTINGS

src/OpenConext/EngineBlockBundle/Controller/IdentityProviderController.php

@@ -24,9 +24,11 @@
 use OpenConext\EngineBlock\Service\RequestAccessMailer;
 use OpenConext\EngineBlock\Validator\RequestValidator;
 use OpenConext\EngineBlockBridge\ResponseFactory;
+use OpenConext\EngineBlockBundle\Configuration\FeatureConfigurationInterface;
 use Psr\Log\LoggerInterface;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 use Twig_Environment;
 
 /**
@@ -74,6 +76,11 @@ class IdentityProviderController implements AuthenticationLoopThrottlingControll
      */
     private $bindingValidator;
 
+    /**
+     * @var FeatureConfigurationInterface
+     */
+    private $featureConfiguration;
+
     public function __construct(
         EngineBlock_ApplicationSingleton $engineBlockApplicationSingleton,
         Twig_Environment $twig,
@@ -82,7 +89,8 @@ public function __construct(
         RequestValidator $requestValidator,
         RequestValidator $bindingValidator,
         RequestValidator $unsolicitedRequestValidator,
-        AuthenticationStateHelperInterface $authenticationStateHelper
+        AuthenticationStateHelperInterface $authenticationStateHelper,
+        FeatureConfigurationInterface $featureConfiguration
     ) {
         $this->engineBlockApplicationSingleton = $engineBlockApplicationSingleton;
         $this->twig = $twig;
@@ -92,6 +100,7 @@ public function __construct(
         $this->bindingValidator = $bindingValidator;
         $this->unsolicitedRequestValidator = $unsolicitedRequestValidator;
         $this->authenticationStateHelper = $authenticationStateHelper;
+        $this->featureConfiguration = $featureConfiguration;
     }
 
     /**
@@ -130,9 +139,14 @@ public function singleSignOnAction(Request $request, $keyId = null, $idpHash = n
      * @param null|string $keyId
      * @param null|string $idpHash
      * @return \Symfony\Component\HttpFoundation\RedirectResponse|\Symfony\Component\HttpFoundation\Response
+     * @throws NotFoundHttpException If the IdP-initiated flow has been disabled by config
      */
     public function unsolicitedSingleSignOnAction(Request $request, $keyId = null, $idpHash = null)
     {
+        if (!$this->featureConfiguration->isEnabled('eb.feature_enable_idp_initiated_flow')) {
+            throw new NotFoundHttpException();
+        }
+
         $this->unsolicitedRequestValidator->isValid($request);
 
         $cortoAdapter = new EngineBlock_Corto_Adapter();

src/OpenConext/EngineBlockBundle/Resources/config/controllers/authentication.yml

@@ -22,6 +22,7 @@ services:
             - "@engineblock.validator.saml_binding_validator"
             - "@engineblock.validator.unsolicited_sso_request_validator"
             - "@engineblock.service.authentication_state_helper"
+            - "@engineblock.features"
 
     engineblock.controller.authentication.index:
         class: OpenConext\EngineBlockBundle\Controller\IndexController