-
-
Notifications
You must be signed in to change notification settings - Fork 471
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hardcoded ValidUntil causing issues, SAML2 standard references it as optional #502
Comments
Is not hardcoded, you can provide it as a parameter: |
You are correct if you are referring to the option to manipulate it. Please see https://github.com/onelogin/php-saml/blob/master/lib/Saml2/Metadata.php#L30 As it is then in the Metadata by default - see https://github.com/onelogin/php-saml/blob/master/lib/Saml2/Metadata.php#L159 So in essence it is Hardcoded. Therefore my request still stands .. it is an optional parameter, and should not be presented in the generated Metadata if it is not defined. |
Additional argument of having it not present if it is undefined in settings is the fact that if an IDP is not capable of dynamically reloading Metadata (as it is in my case) the default set expiration (as written in the code) sets it to 2 days. So in this :
|
If I change the behavior of the current method that generates the Metadata to not include such values if not provided, I can break other environments that expects it |
I am not really sure as to interpret this reply so i will state it harshly ... ?
As to the ValidUntill ( and adjacent CacheDuration) parameter : Either way i have forked the repo, and am trying to correct this (for me) unwanted way of implemenatation to get rid on this IMHO ugly hack to manually strip the metadata of the optional tags without compromising the IDP's who can coap with it.
|
From the SAML spec: https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf Page 9
So you need to set an expiration on the SAML Metadata, that why when not provided, I set default expiration times.
This is your specific case of use. Is the IdP reading the SP Metadata directly from stored XMLs rather than process the XML when it is received and storing the parameters?
As I shared, a Metadata with no expiration does not follow the standard, that why I'm not changing the current behavior. But in addition, if the toolkit has an specific behavior that the developers expect, is not that easy to change it, it need to be done in a major release because the change can impact current developers integrations. Currently php-saml has 9.3M of downloads at packagist, so I need to take care of all the developers trusting php-saml keeping the project stable. You had the option to fork the project (as you did), but there are other alternatives like simplesamlphp or lightSAML |
The XML/Metadata is retrieved when creating the connection ( either retrieval via url or file upload ) Also the refrenced page, and text are relevant when using EntitiesDescriptor, not the actual EntityDescriptor where its all about. Yes i do concur that when EntitiesDescriptor is used then the 'MUST' should be honored as written in the standard.
|
I disagree, the section is talking about |EntitiesDescriptor| or |EntityDescriptor| [One or More] And the saml2int profile directly set validUntil as mandatory.
|
Again you are quoting me on information that refers to having as Root element. ( secttion 2.3.1 - line 310 thru 358. However ... |
Anyway - just besides the whole discussion as to yes/no being part of the standard and Must/optional my plan in regards of forking is to implement a way to omit it without impacting/affecting current implementations. I am aiming to add functionality in a well-mannered way, without impacting a direct behavioural change in current code/ your 9.3M implementations, and still find a solution to solve the issue i am facing ( and i guess every other IDP-owner who uses the same software as i do). So :
IMHO this would be the easiest as it does not need the addition of a new 'setting', but an additional evaluation of a/the value if given, and it does not change current behaviour of the implementation.
|
@pitbulk if i were to get this done, would you be willing to concider a PR if i were to submit one ? I mean my aim is to honor both the current implementation and be able to also enable the ones who use my type/brand of IDP to be able to use the already provided code - so in essense i am trying to broaden the implementation. I am not aiming to move away from current code just by forking, but enhance ( and theerefore gain support) thru the general code to also support my case i would very much welcome my effort.
|
Maybe the less intrusive way is to add a "$noExpiration" (by default to false) parameter to the Metadata builder and then create in the method a
and then in the template
|
Case :
Issue:
Solution wanted:
The text was updated successfully, but these errors were encountered: