Development #5540: Possibility to create saml service provider from its AssertionConsumerService endpoint - Authentic 2 - Redmine Entr’ouvert

Development #5540

Possibility to create saml service provider from its AssertionConsumerService endpoint

Ajouté par Frédéric Péters il y a plus de 9 ans. Mis à jour il y a plus de 2 ans.

Statut:

Nouveau

Priorité:

Normal

Assigné à:

Catégorie:

Version cible:

2.2.0

Début:

19 septembre 2014

Echéance:

% réalisé:

Temps estimé:

Patch proposed:

Non

Planning:

Description

Dropbox doesn't distribute a saml metadata file, it just gives out its assertion consumer service endpoint (https://www.dropbox.com/saml_login); it would be useful to be able to create a service provider without having to forge a fake metadata file.

For refererence the simplesamlphp configuration amounts to:

$metadata['Dropbox'] = array (
        'AssertionConsumerService' => 'https://www.dropbox.com/saml_login',
        'simplesaml.attributes' => true,
        'simplesaml.nameidattribute' => 'mail',
        'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
);

Demandes liées

Historique

Mis à jour par Benjamin Dauvergne il y a plus de 9 ans

How does-it work without specifying the entity ID for dropbox ? Does ssp accept all AuthnRequest ? How does it find the ACS if the AuthnRequest does not containt its URL and it doesn't know the service entityID either ?

Mis à jour par Benjamin Dauvergne il y a plus de 9 ans

I answer myself: I read the code for ssp and the dictionnary key is in fact the EntityID, so the configuration would be:

EntityID, required
ACS URL & method (POST [default] / Artifact), required
LogoutServiceURL URL & method (Redirect [default] / SOAP), optional
Certificate, optional

Mis à jour par Frédéric Péters il y a plus de 9 ans

https://www.dropbox.com/help/1921#custom is the dropbox documentation.

You'll find some screenshots about salesforce configuration on https://developer.salesforce.com/page/Configuring-SAML-SSO-to-Dropbox (searching for "dropbox configuration saml" yields results for various other providers).

Mis à jour par Benjamin Dauvergne il y a plus de 9 ans

Statut changé de Nouveau à En cours
Assigné à mis à Benjamin Dauvergne

How I see it:

first add field to hold the metadata URL, to separate it from the entity ID
remove special creation form for building from Metadata URL (the field will now be part of the model)
make EntityID field editable, and required
add new fields:
- ACS URL, URLField, nullable, optional
- ACS Method, CharField, choices, nullable, required if ACS URL is set
- Logout URL, URLField, nullable, optional, forbidden if ACS URL is not set
- Logout Method, CharField, choices, nullable, optional, required if Logout URL is set
make the metadata field uneditable if ACS URL is not null, add text telling that to edit it all direct settings must be removed
in LibertyProvider clean:
- if metadata URL is set and metadata content or manual configuration field have changed, raise ValidationError telling that a web refresh must be done or the URL be removed,
- if metadata and manual field have changed, raise ValidationError
- if metadata has changed or object is new (no self.pk), clear all "manual" configuration fields, extract entityID from metadata
- if entityID has changed but no other manual configuration field is set, raise ValidationError
- if any manual configuration field has changed, clear metadata and generate new version from them
- for all cases generate new entityID SHA1 hash (it's already done)