mahara-contributors team mailing list archive
-
mahara-contributors team
-
Mailing list archive
-
Message #60030
[Bug 1895590] [NEW] Allow metadata refresh url to also also record validateFingerprint value via sAML instance config form
Public bug reported:
Currently we can fetch metadata from IdP via the metadata refresh url
but we can't verify what we fetch as being valid.
Metadata can be signed with a signing certificate and that certificate
has a fingerprint
With the metadata refresh system we can fetch the metadata file and
check that the fingerprint we have recorded for it matches the one it
was signed with.
This is useful to make sure that we are actually fetching and processing
the correct file.
What we need to do to expand the usefulness of the metadata refresh system are:
1) Be able to record the fingerprint value (optional) along side the refresh url
2) Make sure that we only fetch each refresh url once per cron run (eg
if two or more Institutions use the same metadata url)
3) Make sure that if the metadata url fails to fetch a valid xml file to
send an email to admins alerting them of this fact
4) If the IdP metadata has been updated and signed with a new certificate our metadata refresh will reject the file. We will need to make sure that the system handles 'could not verify signature using fingerprint' errors and alerts a mahara admin that the fingerprint needs to be updated
** Affects: mahara
Importance: Wishlist
Status: New
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1895590
Title:
Allow metadata refresh url to also also record validateFingerprint
value via sAML instance config form
Status in Mahara:
New
Bug description:
Currently we can fetch metadata from IdP via the metadata refresh url
but we can't verify what we fetch as being valid.
Metadata can be signed with a signing certificate and that certificate
has a fingerprint
With the metadata refresh system we can fetch the metadata file and
check that the fingerprint we have recorded for it matches the one it
was signed with.
This is useful to make sure that we are actually fetching and
processing the correct file.
What we need to do to expand the usefulness of the metadata refresh system are:
1) Be able to record the fingerprint value (optional) along side the refresh url
2) Make sure that we only fetch each refresh url once per cron run (eg
if two or more Institutions use the same metadata url)
3) Make sure that if the metadata url fails to fetch a valid xml file
to send an email to admins alerting them of this fact
4) If the IdP metadata has been updated and signed with a new certificate our metadata refresh will reject the file. We will need to make sure that the system handles 'could not verify signature using fingerprint' errors and alerts a mahara admin that the fingerprint needs to be updated
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1895590/+subscriptions
Follow ups
