mahara-contributors team mailing list archive

Thread
Date

[Bug 1895590] A change has been merged

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <1895590@xxxxxxxxxxxxxxxxxx>
Date: Tue, 25 May 2021 03:56:49 -0000
Reply-to: Bug 1895590 <1895590@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://reviews.mahara.org/11393
Committed: https://git.mahara.org/mahara/mahara/commit/a45bb397c43059402a0c98cb9f53463fb400cf93
Submitter: Lisa Seeto (lisaseeto@xxxxxxxxxxxxxxx)
Branch:    master

commit a45bb397c43059402a0c98cb9f53463fb400cf93
Author: Robert Lyon <robertl@xxxxxxxxxxxxxxx>
Date:   Tue Oct 20 14:09:29 2020 +1300

Bug 1895590: Adding ability to save / use metadata fingerprint

Change-Id: I125068bd7eb28cd0b5c236721ec585c27f7d8319
Signed-off-by: Robert Lyon <robertl@xxxxxxxxxxxxxxx>

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1895590

Title:
  Allow metadata refresh url to also also record validateFingerprint
  value via SAML instance config form

Status in Mahara:
  Fix Committed

Bug description:
  Currently we can fetch metadata from IdP via the metadata refresh url
  but we can't verify what we fetch as being valid.

  Metadata can be signed with a signing certificate and that certificate
  has a fingerprint

  With the metadata refresh system we can fetch the metadata file and
  check that the fingerprint we have recorded for it matches the one it
  was signed with.

  This is useful to make sure that we are actually fetching and
  processing the correct file.

  What we need to do to expand the usefulness of the metadata refresh system are:
  1) Be able to record the fingerprint value (optional) along side the refresh url

  2) Make sure that we only fetch each refresh url once per cron run (eg
  if two or more Institutions use the same metadata url)

  3) Make sure that if the metadata url fails to fetch a valid xml file
  to send an email to admins alerting them of this fact

  
  4) If the IdP metadata has been updated and signed with a new certificate our metadata refresh will reject the file. We will need to make sure that the system handles 'could not verify signature using fingerprint' errors and alerts a mahara admin that the fingerprint needs to be updated

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1895590/+subscriptions

References

[Bug 1895590] [NEW] Allow metadata refresh url to also also record validateFingerprint value via sAML instance config form
From: Robert Lyon, 2020-09-14