Development #5540: Possibility to create saml service provider from its AssertionConsumerService endpoint - Authentic 2 - Redmine Entr’ouvert

Development #5540

Possibility to create saml service provider from its AssertionConsumerService endpoint

Added by Frédéric Péters about 9 years ago. Updated almost 2 years ago.

Status:

Nouveau

Priority:

Normal

Assignee:

Category:

Target version:

2.2.0

Start date:

19 September 2014

Due date:

% Done:

Estimated time:

Patch proposed:

Planning:

Description

Dropbox doesn't distribute a saml metadata file, it just gives out its assertion consumer service endpoint (https://www.dropbox.com/saml_login); it would be useful to be able to create a service provider without having to forge a fake metadata file.

For refererence the simplesamlphp configuration amounts to:

$metadata['Dropbox'] = array (
        'AssertionConsumerService' => 'https://www.dropbox.com/saml_login',
        'simplesaml.attributes' => true,
        'simplesaml.nameidattribute' => 'mail',
        'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
);

Related issues

History

Updated by Benjamin Dauvergne about 9 years ago

How does-it work without specifying the entity ID for dropbox ? Does ssp accept all AuthnRequest ? How does it find the ACS if the AuthnRequest does not containt its URL and it doesn't know the service entityID either ?

Updated by Benjamin Dauvergne about 9 years ago

I answer myself: I read the code for ssp and the dictionnary key is in fact the EntityID, so the configuration would be:

EntityID, required
ACS URL & method (POST [default] / Artifact), required
LogoutServiceURL URL & method (Redirect [default] / SOAP), optional
Certificate, optional

Updated by Frédéric Péters about 9 years ago

https://www.dropbox.com/help/1921#custom is the dropbox documentation.

You'll find some screenshots about salesforce configuration on https://developer.salesforce.com/page/Configuring-SAML-SSO-to-Dropbox (searching for "dropbox configuration saml" yields results for various other providers).

Updated by Benjamin Dauvergne about 9 years ago

Status changed from Nouveau to En cours
Assignee set to Benjamin Dauvergne

How I see it:

first add field to hold the metadata URL, to separate it from the entity ID
remove special creation form for building from Metadata URL (the field will now be part of the model)
make EntityID field editable, and required
add new fields:
- ACS URL, URLField, nullable, optional
- ACS Method, CharField, choices, nullable, required if ACS URL is set
- Logout URL, URLField, nullable, optional, forbidden if ACS URL is not set
- Logout Method, CharField, choices, nullable, optional, required if Logout URL is set
make the metadata field uneditable if ACS URL is not null, add text telling that to edit it all direct settings must be removed
in LibertyProvider clean:
- if metadata URL is set and metadata content or manual configuration field have changed, raise ValidationError telling that a web refresh must be done or the URL be removed,
- if metadata and manual field have changed, raise ValidationError
- if metadata has changed or object is new (no self.pk), clear all "manual" configuration fields, extract entityID from metadata
- if entityID has changed but no other manual configuration field is set, raise ValidationError
- if any manual configuration field has changed, clear metadata and generate new version from them
- for all cases generate new entityID SHA1 hash (it's already done)