You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug Not really a bug but an advisement if one is using a Microfocus AccessManager based IDP
The dependancy on which this code depends is from OneLogin-PHP, and this code implements (by default) Metadata tags 'validUntill' and 'cacheDuration'.
A microfocus AccessManager IDP does not (in its current form/version) have a mechanism to dynamically reload Metadata and coap with this tag - but if it is present it will honor it.
To Reproduce
Steps to reproduce the behavior:
this is default behaviour
Expected behavior
As stated above the most wishfull situation is that (as stated in the SAML specifications regarding this its optional) one would be able to omit this tag.
Current implementation however accepts a parameter to extend/reset a/the default, but has no option to omit the parameter in the generated Metadata.
pfSense Version & Package Version:
pfSense Version: [e.g. pfSense 2.5.1]
Package Version [e.g. v1.1.0]
Identity Provider Information:
IdP Name: Microfocus AccessManager v 4.5.3
IdP Type: internal/On-Site
Additional context
As this isnt a bug to the package itself, but more a 'limitation' as to a dependant package i just wanted to provide a solution/hack if one is using the mentioned IDP.
How to avoid this issue
The solution is 2-ways :
either after the metadata has been generated you manually remove both tags from it ( validUntill, and cacheDuration)
go into the code of the package and delete lines :
Thanks for providing this information and your workaround. Hopefully anyone else running the same IdP can find this information helpful.
I've subscribed to the issue you opened on the php-saml repository. If/when such a change is implemented and released in the upstream code I will implement it in this package as quickly as possible. I would very much prefer not to modify the dependency's code within this package directly, but if the change ends up being too far out or causes too many issues, I can look into some sort of optional patch for AccessManager in this package that can at least allow you to update without reverting your changes.
For your information regarding getting the upstream maintainer of onelogin-PHP to reason as to why such change should be implemented is bumping into a difference of opinion in interpreting the SAML standards, and i cannot seem to be able to convice that person of where i stand, and why i would very much appreciate this change.
Describe the bug
Not really a bug but an advisement if one is using a Microfocus AccessManager based IDP
The dependancy on which this code depends is from OneLogin-PHP, and this code implements (by default) Metadata tags 'validUntill' and 'cacheDuration'.
A microfocus AccessManager IDP does not (in its current form/version) have a mechanism to dynamically reload Metadata and coap with this tag - but if it is present it will honor it.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
As stated above the most wishfull situation is that (as stated in the SAML specifications regarding this its optional) one would be able to omit this tag.
Current implementation however accepts a parameter to extend/reset a/the default, but has no option to omit the parameter in the generated Metadata.
pfSense Version & Package Version:
Identity Provider Information:
Additional context
As this isnt a bug to the package itself, but more a 'limitation' as to a dependant package i just wanted to provide a solution/hack if one is using the mentioned IDP.
How to avoid this issue
The solution is 2-ways :
pfsense-saml2-auth/pfSense-pkg-saml2-auth/files/etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Metadata.php
Line 178 in 27f9350
and line
pfsense-saml2-auth/pfSense-pkg-saml2-auth/files/etc/inc/saml2_auth/lib/php-saml-3.5.1/src/Saml2/Metadata.php
Line 179 in 27f9350
After that save the file, and you are safe for aslong as you dont upgrade the package.
PS,
I am still in discussion with the dependant package-maintainer to see if i can change this behaviour.
Best regards,
The text was updated successfully, but these errors were encountered: