← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #58959

[Bug 1885954] Re: Improve SAML metadata refresh to ignore manually entered metadata upon creation

  Thread PreviousDate PreviousThread Next 
To ignore the verification we can alter the else statement in
validate_instance_config_options() for

        if (!empty($values['institutionidp'])) {
         ....
        }
        else {
            $form->set_error('institutionidpentityid', get_string('errormissingmetadata', 'auth.saml'));
        }

So that if both 'institutionidp' and 'metarefresh_metadata_url' are both empty we complain
But if only 'metarefresh_metadata_url' is set we check if we can fetch the external file
and allow things to continue if we can fetch it

Hmm, because 'institutionidpentityid' will be set to 'new' we will still
need a way to indicate which 'institutionidpentityid' we will need for
this particular new instance because if the idp xml provided metadata
has multiple institutions in it we will need to only choose the correct
one, eg

If we want to fill in
Available Identity Providers: Add new identity provider
Metadata URL for auto-refresh: https://fakeidp.com/metadata/meta.xml in the 
Institution Identity Provider SAML metadata: [leave blank]

Then we need a new field, say 'institutionidpentityid_new' to be filled in like so
Institution Identity Provider Entity ID: https://institution-one.fakeidp.com/idp/saml

So that the right chunk of the metadata is extracted and saved and also
checked to see if entity id actually exists in metadata (to avoid having
wrong metadata url)


Actually we will need  a way to provide the

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1885954

Title:
  Improve SAML metadata refresh to ignore manually entered metadata upon
  creation

Status in Mahara:
  Confirmed

Bug description:
  At the moment, when your SSO IdP has a metadata refresh URL, you still
  need to add the actual metadata at least for the first time. The
  metadata refresh URL only fetches any changes afterwards.

  Would it work that we don't have to enter the metadata manually any
  more? That would also help make sure that the correct metadata is
  fetched via the refresh URL and that the setup is correct.

  I could imagine the following:

  1. Add metadata refresh URL to SAML SSO.
  2. Upon saving the form:
     - metadata box gets ignored
     - IdP is contacted and the metadata is fetched automatically and processed, i.e. also checked for any badly formatted SAML.

  If we don't have to display the metadata information, it should not be
  displayed, e.g. if it is coming from the refresh URL as the up-to-date
  XML data can be viewed there directly.

  If a metadata refresh URL exists, the metadata box for pasting in
  metadata should be disabled so as not to provide conflicting
  information.

  I believe, as soon as a metadata refresh URL is provided, the manually
  entered information is ignored when people log in and a call is made
  to the URL / on cron basis for the correct metadata information, but I
  don't think the actual information provided in the metadata box is
  updated.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1885954/+subscriptions

References

  Thread PreviousDate PreviousThread Next