Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow configuration of OneLogin library via metadata url #87

Open
ObjectiveTruth opened this issue Aug 15, 2017 · 7 comments
Open

Allow configuration of OneLogin library via metadata url #87

ObjectiveTruth opened this issue Aug 15, 2017 · 7 comments

Comments

@ObjectiveTruth
Copy link

Heya,

Usually an IDP will offer a metadata link to their xml containing all the configuration parameters for a SAML library to use for quick configuration and incase something changes at the IDP level, it doesn't have to manually updated to the SPs.

I think it'd be a great idea to have the plugin take a metadata url and keep a copy locally that is refreshed every so often.

I'm thinking, a reference implementation could be the Moodle WP saml plugin

great library btw 👍

@ObjectiveTruth ObjectiveTruth changed the title Allow configuration of OneLogin library via metadataurl link Allow configuration of OneLogin library via metadata url Aug 15, 2017
@danielbachhuber
Copy link
Contributor

Thanks for the suggestion @ObjectiveTruth.

Usually an IDP will offer a metadata link to their xml containing all the configuration parameters for a SAML library to use for quick configuration and incase something changes at the IDP level, it doesn't have to manually updated to the SPs.

Do you have an example of this XML configuration that I could take a look at?

@ObjectiveTruth
Copy link
Author

For sure, there's one available here on this gist

<EntityDescriptor entityID="https://idp.example.com/idp/shibboleth">
  <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:2.0:protocol">
    <Extensions>
      <shibmd:Scope regexp="false" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0">idp.example.com</shibmd:Scope>
      <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
        <mdui:DisplayName xml:lang="ja">idp-example</mdui:DisplayName>
        <mdui:DisplayName xml:lang="en">idp-example Inc.</mdui:DisplayName>
        <mdui:Logo height="75" width="200">http://www.idp-example.co.jp/images/logo.png</mdui:Logo>
        <mdui:InformationURL xml:lang="ja">http://www.idp-example.co.jp/</mdui:InformationURL>
        <mdui:InformationURL xml:lang="en">http://www.idp-example.co.jp/</mdui:InformationURL>
        <mdui:PrivacyStatementURL xml:lang="ja">http://www.idp-example.co.jp/</mdui:PrivacyStatementURL>
        <mdui:PrivacyStatementURL xml:lang="en">http://www.idp-example.co.jp/</mdui:PrivacyStatementURL>
        <mdui:Keywords xml:lang="en">category:location:others</mdui:Keywords>
      </mdui:UIInfo>
      <mdui:DiscoHints xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
        <mdui:IPHint>xxx.xxx.xxx.xxx/32</mdui:IPHint>
        <mdui:IPHint>yyy.yyy.yyy.yyy/32</mdui:IPHint>
        <mdui:DomainHint>www.idp-example.co.jp</mdui:DomainHint>
        <mdui:DomainHint>idp.example.com</mdui:DomainHint>
      </mdui:DiscoHints>
    </Extensions>
    <KeyDescriptor>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIISOMECERTSM9Xvw==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>
    <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
    <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://idp.example.com/idp/profile/Shibboleth/SSO"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.example.com/idp/profile/SAML2/POST/SSO"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.example.com/idp/profile/SAML2/Redirect/SSO"/>
  </IDPSSODescriptor>
  <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
    <Extensions>
      <shibmd:Scope regexp="false" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0">idp.example.com</shibmd:Scope>
    </Extensions>
    <KeyDescriptor>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIISOMECERTSM9Xvw==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>
    <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.example.com:8443/idp/profile/SAML1/SOAP/AttributeQuery"/>
    <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.example.com:8443/idp/profile/SAML2/SOAP/AttributeQuery"/>
    <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
  </AttributeAuthorityDescriptor>
</EntityDescriptor>

I'm sure you must of come across it working with SAML, usually the easiest way for 2 parties to communicate is for the SP and IdP to exchange metadata so they can trust each other.

The above is an example of an IdP but an SP has its own, for example for simpleSAML, the url to find the metadata is at /simplesaml/module.php/saml/sp/metadata.php/default-sp

And simplesaml allows importing of IdP metadata aswell

@laupow
Copy link

laupow commented May 17, 2019

I've started this feature here:
master...laupow:feature/sp-metadata-endpoint

It's heavily adapted from a few pieces in the humanmade/wp-simple-saml plugin.

I think exposing the SP metadata only makes sense when using the internal connection type. Not sure though.

The changes add an endpoint at /saml/sp/metadata/
Screen Shot 2019-05-17 at 2 45 41 PM

which spit out XML metadata:
Screen Shot 2019-05-17 at 2 44 09 PM

@danielbachhuber is this direction worth continuing for the plugin?

@danielbachhuber
Copy link
Contributor

@ObjectiveTruth I think this issue was originally opened to import settings from the IdP's metadata URL. It looks like your code exports the settings from WordPress / OneLogin. Is this correct? If so, I'm not quite sure what the use case is for that.

@laupow
Copy link

laupow commented May 21, 2019

That looks correct; my comments belong in a separate issue. I'll move them soon.

@akshenk8
Copy link

@laupow is this feature merged ??

I've started this feature here:
master...laupow:feature/sp-metadata-endpoint

@markfullmer
Copy link

Usually an IDP will offer a metadata link to their xml containing all the configuration parameters for a SAML library to use for quick configuration and incase something changes at the IDP level, it doesn't have to manually updated to the SPs.

I've created a separate issue for this, #396 , and corresponding PR, #397

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants