Automatic IdP metadata retrieval

Open on Drupal.org →

Created on 9 June 2023, over 1 year ago

Updated 10 August 2023, over 1 year ago

Problem/Motivation

SSO with this module can break if/when IdP metadata (especially the certificates) changes. This happens routinely with many SAML IdPs. I have worked with clients who will update their certificates annually or even bianually. If a certificate is changed without warning SSO will break for the site. This might mean admins can't log in temporarily or even that the site is effectively down if access requires login. While this issue can be avoided by manually renewing the certificates this means extra dev work and room for human error (e.g. SSO going down because the SP administrators don't hear from the IdP administrators that the certificate is changing).

With simplesamlphp_auth and simplesamlphp this problem can be addressed with the metarefresh simplesamlphp module. I would like to see a similar feature in samlauth.

I see there's already this commented out code in SamlAuthConfigureForm, so I think some thought has already been given to a related feature:

// @todo Allow a user to automagically populate this by providing a
//   metadata URL for the IdP. OneLogin's IdPMetadataParser can likely help.
$form['identity_provider']['idp_metadata_url'] = [

Steps to reproduce

1. Configure this module with a SAML IdP as usual.
2. Update the certificate on the SAML IdP.
3. Test SAML login on your site - you will see it no longer works.

Proposed resolution

Add the idp_metadata_url field already referenced on the config form
Instead of auto-populating the form, disable most IdP fields (except idp_entity_id) when the URL is populated
When loading IdP metadata from config, if the metadata URL is set instead load the metadata using OneLogin\Saml2\IdPMetadataParser::parseRemoteXML() and cache it (or use metadata stored in Drupal's cache)
Merge this metadata into the IdP config

I may attach an MR with this feature soon-ish pending some of our internal processes, but even if I don't end up working on it I think this would be a very valuable feature for the module to have.

✨ Feature request

Status

Active

Version

3.0

Component

Code

Created by

🇨🇦Canada dylan donkersgoed London, Ontario

Live updates comments and jobs are added and updated live.

Sign in to follow issues

Comments & Activities

Issue created by @dylan donkersgoed
Issue was unassigned.
Comment over 1 year ago →
🇨🇦Canada dylan donkersgoed London, Ontario
No plans to work on this in the immediate future so unassigning myself for now.
Comment over 1 year ago →
🇳🇱Netherlands roderik Amsterdam,NL / Budapest,HU
I suggest to do this in multiple parts.

Part 1:

Build the code that fetches metadata from a URL and merge it into existing IdP config.

Add a URL input element somewhere that is not a value saved to config (either on a new form or the regular config form). At the click of a button, fetch metadata + update config + display the new config in the configuration screen.

Or... even better? At the click of a button, fetch metadata, and show the updated config screen + messages about what was changed, without saving it yet?

This is what the code comment tried to imply / will make initial configuration of the module a lot easier. And this is necessary base/test work for 'part 2'.

Then.... part 2 can be what this issue description wants: regular automatic updating of the data. My initial thoughts about this:

My feeling is that this is better off implemented as e.g. a Drush command than as cron functionality, though I can be convinced otherwise. (This feels like a devops-y task that you want to configure outside of the website?)

There will be extra (possible / eventually requested) configuration options, like an allow/deny-list of attributes to update, a minimum refresh time, ... that should be kept separate from the actual SAML configuration.

If this is not a drush command with options, maybe this is an add-on module?

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024