Fixes and improvements for satosa-saml-metadata #429
Conversation
vladimir-mencl-eresearch
changed the title
|
Hi @c00kiemon5ter , Just wondering whether there's anything blocking this PR from being reviewed and merged? I think these are fairly trivial and backwards compatible changes. Please let me know if there are any issues to address / points to clarify. Thanks a lot in advance for getting back to me. Cheers, |
…adata ... because SAMLBackend modifies the config (adding encryption_keypairs to config) and this modified config is stored under sp.config. Otherwise, metadata created via the metadata-creation scripts (satosa-saml-metadata) would be missing encryption keys (KeyDescriptor use="encryption").
Allow skipping signing with --no-sign - and in that case, do not require key+cert. Default to signing enabled (keep existing behaviour). Mark key and cert args as optional in Click and instead check them explicitly when signing is enabled. Add new method create_entity_descriptor_metadata as counterpart to create_signed_entity_descriptor to also apply `valid` option to EntityDescriptor but avoid signing.
vladimir-mencl-eresearch
force-pushed
the
saml-metadata-opts
branch
from
956ffd8
to
18667fc
Compare
|
Hi @c00kiemon5ter , I've just rebased this on master to bring this up to date. These changes are I think trivial - is there anything you'd like to see changed before merging them? Cheers, |
|
@c00kiemon5ter , can you please let me know if there's anything blocking this PR - or whether you'd be able to review and merge? It's a fairly trivial fix + improvement... Thanks a lot in advance for getting back to me. Cheers, |
|
Thank you Vlad, and sorry for the poor communication. |
|
Np - and thanks for accepting this in! |
Hi @c00kiemon5ter ,
I am working on a new feature for my deployment where I'd rely on the metadata created by
satosa-saml-metadata- I'd then register this metadata into our federation.When trying to use it, I found the metadata would always be signed - but for this purpose, I'd rather avoid having the signature embedded (on the EntityDescriptor for a single SP) - so I've added a
--no-signoption. And with this option, I made the signing cert and key optional.I also found the metadata was missing the encryption keys (
KeyDescriptor use="encryption") - and I found it was because SATOSA SAML Backend makes changes to the loaded config, but this change was missed by the satosa-saml-metadata tool because of how it was referring to the config - found this was an easy fix to make.Do these two changes look to you OK to merge?
Thanks a lot in advance for getting back to me.
Cheers,
Vlad
All Submissions: