Skip to content

Support for dynamic configuration using IDP metadata URL for SAML SSO integration #8484

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
imravichaudhary opened this issue May 6, 2020 · 7 comments
Closed

Support for dynamic configuration using IDP metadata URL for SAML SSO integration #8484

imravichaudhary opened this issue May 6, 2020 · 7 comments
Assignees
@imravichaudhary @spring-contributor
Labels
in: saml2 An issue in SAML2 modules status: ideal-for-contribution An issue that we actively are looking for someone to help us with type: enhancement A general enhancement
Milestone
5.4.0-RC1

Comments

@imravichaudhary
Copy link

imravichaudhary commented May 6, 2020
edited
Loading

Expected Behavior

SAML IDP registration can be configured via either IDP metadata URL or file-based metadata instead of manually adding configuration property like entity-id, sso-url, X.509 Certificate, etc.. Benefit would be simpler IDP registration configuration and also it can support dynamic configuration like certificate rotation, etc..

spring:
  security:
    saml2:
      relyingparty:
        registration:
          idpone:
            identityprovider:
              metadata-url:
	  idptwo:
            identityprovider:
              metadata-url:

Current Behavior

Currently spring-security-saml2-service-provider does not support dynamic configuration for IDP using metadata URL. The IDP configuration needs to be added through RelyingPartyRegistration with the different properties like entity-id, sso-url, etc.. Whereas this configuration can be replaced with a single IDP metadata URL which contains all information related to IDP. Also, as an additional option, please allow the same to be configured via file-based metadata.

spring:
  security:
    saml2:
      relyingparty:
        registration:
          idpone:
            identityprovider:
              entity-id:
              sso-url:
              verification:
                credentials:
                  - certificate-location:
	  idptwo:
            identityprovider:
              entity-id:
              sso-url:
              verification:
                credentials:
                  - certificate-location:

Context

My current IDP provides IDP configuration information via metadata URL but due to lack of support in spring-security-saml2-service-provider, we have to manually configure each individual property. As a current alternative, we have option to switch back to old way of configuring SAML IDP using Spring Security SAML Extension(https://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x-SNAPSHOT/reference/htmlsingle/#quick-start-idp-metadata)
@imravichaudhary imravichaudhary added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels May 6, 2020
@rwinch rwinch added the in: saml2 An issue in SAML2 modules label May 6, 2020
@rwinch
Copy link
Member

rwinch commented May 6, 2020

Thanks for creating a ticket. Would you be interested in submitting a Pull Request?

@rwinch rwinch added status: ideal-for-contribution An issue that we actively are looking for someone to help us with and removed status: waiting-for-triage An issue we've not yet triaged labels May 6, 2020
@eleftherias eleftherias mentioned this issue May 7, 2020
Closed
@imravichaudhary
Copy link
Author

@rwinch Sure I can definitely take a look whenever I get a chance. Though I haven't contributed to any open source projects so might have to read up Contribution guidelines for the project.

@rwinch
Copy link
Member

rwinch commented May 12, 2020

Thanks @imravichaudhary! The issue is yours. Let us know if you have any questions

jkubrynski added a commit to jkubrynski/spring-security that referenced this issue Jul 3, 2020
@jkubrynski
Fix spring-projects#8484 Provide mechanism for parsing IdP metadata
a398e7b
@jzheaux
Copy link
Contributor

jzheaux commented Jul 21, 2020

@imravichaudhary is this something that you are still planning on contributing? I believe @jkubrynski may also be interested.

@imravichaudhary
Copy link
Author

@jzheaux @jkubrynski please feel free to contribute.

@jzheaux jzheaux mentioned this issue Jul 23, 2020
Closed
@jzheaux jzheaux closed this as completed in f82190b Aug 5, 2020
@jzheaux jzheaux added this to the 5.4.0-RC1 milestone Aug 5, 2020
@ryan13mt
Copy link

@jzheaux this only handles URL-based metadata locations right? Can it be changed to handle file-based locations as well?

@jzheaux
Copy link
Contributor

jzheaux commented Sep 16, 2020

Correct, @ryan13mt, the initial implementation only supports URLs.

File-based support seems like it a possibility. Would you be able to file a separate ticket describing how you'd like something like that to behave so we can explore that in more depth?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@imravichaudhary imravichaudhary

@spring-contributor spring-contributor

Labels
in: saml2 An issue in SAML2 modules status: ideal-for-contribution An issue that we actively are looking for someone to help us with type: enhancement A general enhancement
Projects
None yet
Milestone
5.4.0-RC1
Development

No branches or pull requests
5 participants
@rwinch @imravichaudhary @jzheaux @ryan13mt @spring-contributor