mahara-contributors team mailing list archive

[Robert Lyon <1895590@xxxxxxxxxxxxxxxxxx>]

** Changed in: mahara
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1895590

Title:
  Allow metadata refresh url to also record validateFingerprint value
  via SAML instance config form

Status in Mahara:
  Fix Released

Bug description:
  Currently we can fetch metadata from IdP via the metadata refresh url
  but we can't verify what we fetch as being valid.

  Metadata can be signed with a signing certificate and that certificate
  has a fingerprint

  With the metadata refresh system we can fetch the metadata file and
  check that the fingerprint we have recorded for it matches the one it
  was signed with.

  This is useful to make sure that we are actually fetching and
  processing the correct file.

  What we need to do to expand the usefulness of the metadata refresh system are:
  1) Be able to record the fingerprint value (optional) along side the refresh url

  2) Make sure that we only fetch each refresh url once per cron run (eg
  if two or more Institutions use the same metadata url)

  3) Make sure that if the metadata url fails to fetch a valid xml file
  to send an email to admins alerting them of this fact

  
  4) If the IdP metadata has been updated and signed with a new certificate our metadata refresh will reject the file. We will need to make sure that the system handles 'could not verify signature using fingerprint' errors and alerts a mahara admin that the fingerprint needs to be updated

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1895590/+subscriptions