backfill tests: SAML SP metadata #2794
Conversation
|
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/187289884 The labels on this github issue will be updated when the story is started. |
peterhaochen47
changed the title
peterhaochen47
changed the title
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/feature/SamlLoginIT.java
Fixed
Show fixed
Hide fixed
- in preparation for replacing the EOL spring saml extension lib with spring security core saml, adding more test coverage on the SAML SP metadata - tests that SAML SP metadata matches the UAA configs (in the context of this test, the UAA configs are from the local uaa.yml used to start a local server) - also explicitly declare some SAML-SP-related fields in the said local uaa.yml to make the inputs to the test clearer [#186986697]
peterhaochen47
force-pushed
the
pr/develop/backfill-saml-sp-metadata-e2e-tests
branch
from
5bee567
to
88ecdd8
Compare
- Replaced the code that was depending on the platform where the test was being executed. [#186986697] Co-authored-by: Danny Faught <danny.faught@broadcom.com>
Co-authored-by: Hongchol Sinn <hongchol.sinn@broadcom.com>
swalchemist
changed the title
* Looks like we used the wrong metadata when we added this assertion.
There was a problem hiding this comment.
wouldn't it make sense to use default SHA256 also here
https://github.com/cloudfoundry/uaa/blob/develop/uaa/src/main/webapp/WEB-INF/spring/saml-providers.xml#L305
Right. It was mentioned and considered before in a different PR. In production though, for TAS at least, the property is always set to either 256 or 512, and we decided just to leave it like that as it is practically only used for dev build. |
even in DEV it is no 256 as default... but therefore I would not let in xml sha1 with a settings where is looks like this is the default, e.g. https://github.com/cloudfoundry/uaa/blob/develop/uaa/src/main/webapp/WEB-INF/spring/saml-providers.xml#L305 because the value is no not null thus default in XML is never used |
In cf-deployment (the OSS version of CF), this value is unset, hence UAA default will be used. |
I bet that even in cf-deployment now SHA256 is used... but I have no problem with it... only because of misleading XML default which is no default anymore.. See Then merge this PR and check again the signature of https://login.uaa-acceptance.cf-app.com |
Right, but the default has been always SHA1 there, as the property has been like that all the time. Do you think we should change the default value there for the OSS version of CF? Then we can make the change in another PR. |
ok |
- For the bean. - As suggested in review comments in #2794.
- For the bean. - As suggested in review comments in #2794.
[#186986697]