# Authority Plugin System (LDAP, SAML, Custom Providers) ## Module Authority ## Status IMPLEMENTED ## Description Extensible authentication with pluggable identity providers loaded at startup, supporting multiple authentication methods including Standard (username/password), LDAP, OIDC, SAML, and a Unified adapter. ## Implementation Details - **Modules**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Plugins/`, `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/`, `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/`, `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/`, `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Oidc/`, `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Saml/`, `src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Unified/` - **Key Classes**: - `AuthorityPluginLoader` (`src/Authority/StellaOps.Authority/StellaOps.Authority/Plugins/AuthorityPluginLoader.cs`) - discovers and loads plugin assemblies from disk at startup - `AuthorityPluginRegistrationSummary` (`src/Authority/StellaOps.Authority/StellaOps.Authority/Plugins/AuthorityPluginRegistrationSummary.cs`) - captures loaded plugins, errors, and capabilities - `AuthorityPluginContracts` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/AuthorityPluginContracts.cs`) - `IAuthorityPlugin`, `IAuthorityPluginRegistrar` interfaces - `IdentityProviderContracts` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/IdentityProviderContracts.cs`) - `IAuthorityIdentityProviderPlugin`, credential validation, claims enrichment - `AuthoritySecretHasher` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugins.Abstractions/AuthoritySecretHasher.cs`) - pluggable secret hashing - `StandardIdentityProviderPlugin` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/StandardIdentityProviderPlugin.cs`) - built-in username/password plugin - `StandardPluginRegistrar` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/StandardPluginRegistrar.cs`) - Standard plugin registration - `StandardPluginBootstrapper` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/Bootstrap/StandardPluginBootstrapper.cs`) - bootstraps initial admin user - `StandardCredentialAuditLogger` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Standard/Security/StandardCredentialAuditLogger.cs`) - audit logging for credential operations - `LdapIdentityProviderPlugin` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Ldap/LdapIdentityProviderPlugin.cs`) - LDAP identity provider - `OidcIdentityProviderPlugin` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Oidc/OidcIdentityProviderPlugin.cs`) - OIDC identity provider - `SamlIdentityProviderPlugin` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Saml/SamlIdentityProviderPlugin.cs`) - SAML identity provider - `AuthPluginAdapter` (`src/Authority/StellaOps.Authority/StellaOps.Authority.Plugin.Unified/AuthPluginAdapter.cs`) - unified adapter for multiple plugin types - **Interfaces**: `IAuthorityPlugin`, `IAuthorityPluginRegistrar`, `IAuthorityIdentityProviderPlugin` (in `AuthorityPluginContracts.cs`, `IdentityProviderContracts.cs`) - **Source**: Feature matrix scan ## E2E Test Plan - [ ] Start the Authority server with Standard and LDAP plugins and verify `AuthorityPluginRegistrationSummary` shows both loaded successfully - [ ] Authenticate via `StandardIdentityProviderPlugin` using username/password and verify a token is issued - [ ] Remove a plugin from the plugins directory, restart, and verify `AuthorityPluginLoader` reports it as missing without crashing - [ ] Register a custom plugin implementing `IAuthorityIdentityProviderPlugin` and verify it is discovered and callable - [ ] Verify each plugin's `IAuthorityPluginRegistrar.Register` is called with the correct `AuthorityPluginRegistrationContext` - [ ] Verify credential audit: authenticate via Standard plugin and verify `StandardCredentialAuditLogger` records the login event - [ ] Load OIDC and SAML plugins simultaneously and verify each handles its respective protocol flow independently