Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dependant OneLogin php forces unwanted Metadata tags when using MicroFocus AccessManager #12

Open
Glowsome opened this issue Jan 21, 2022 · 2 comments
Open

dependant OneLogin php forces unwanted Metadata tags when using MicroFocus AccessManager #12

Glowsome opened this issue Jan 21, 2022 · 2 comments

Comments

@Glowsome
Copy link

Describe the bug
Not really a bug but an advisement if one is using a Microfocus AccessManager based IDP

The dependancy on which this code depends is from OneLogin-PHP, and this code implements (by default) Metadata tags 'validUntill' and 'cacheDuration'.
A microfocus AccessManager IDP does not (in its current form/version) have a mechanism to dynamically reload Metadata and coap with this tag - but if it is present it will honor it.

To Reproduce
Steps to reproduce the behavior:

  1. this is default behaviour

Expected behavior
As stated above the most wishfull situation is that (as stated in the SAML specifications regarding this its optional) one would be able to omit this tag.
Current implementation however accepts a parameter to extend/reset a/the default, but has no option to omit the parameter in the generated Metadata.

pfSense Version & Package Version:

  • pfSense Version: [e.g. pfSense 2.5.1]
  • Package Version [e.g. v1.1.0]

Identity Provider Information:

  • IdP Name: Microfocus AccessManager v 4.5.3
  • IdP Type: internal/On-Site

Additional context
As this isnt a bug to the package itself, but more a 'limitation' as to a dependant package i just wanted to provide a solution/hack if one is using the mentioned IDP.

How to avoid this issue

The solution is 2-ways :

After that save the file, and you are safe for aslong as you dont upgrade the package.

PS,
I am still in discussion with the dependant package-maintainer to see if i can change this behaviour.

Best regards,

  • Glowsome
@jaredhendrickson13
Copy link
Owner

Thanks for providing this information and your workaround. Hopefully anyone else running the same IdP can find this information helpful.

I've subscribed to the issue you opened on the php-saml repository. If/when such a change is implemented and released in the upstream code I will implement it in this package as quickly as possible. I would very much prefer not to modify the dependency's code within this package directly, but if the change ends up being too far out or causes too many issues, I can look into some sort of optional patch for AccessManager in this package that can at least allow you to update without reverting your changes.

@Glowsome
Copy link
Author

For your information regarding getting the upstream maintainer of onelogin-PHP to reason as to why such change should be implemented is bumping into a difference of opinion in interpreting the SAML standards, and i cannot seem to be able to convice that person of where i stand, and why i would very much appreciate this change.

  • Glowsome

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Glowsome @jaredhendrickson13