Support multiple and dynamic signing certificates #218
Conversation
.travis.yml
Outdated
| @@ -6,9 +6,6 @@ node_js: | |||
| - "4.0" | |||
| - "stable" | |||
|
|
|||
| before_install: | |||
| - npm install -g npm | |||
|
|
|||
There was a problem hiding this comment.
Please remove this commit. I'm not sure which older version of Node.js it was trying to support, but we probably don't support it anymore. Recently support for Node.js verisons < 4 was dropped
There was a problem hiding this comment.
Yep, it was breaking versions < 4 on travis
|
Hi, I'm a new co-maintainer trying to help out a little. Please reference the portions of the SAML spec that relate to the changes you are making. If your proposed changes are spec-compliant, I'm inclined to accept a version of this, since supporting multiple certs during a transition seems useful. Also take a look at the latest version of At some point soon, we should also think about breaking up the growing test file into multiple files. |
|
It would also be helpful if you could explain how this relates to the other multiple certs PR that was pre-existing: #204. This if branch goes forward, it also needs to updated to resolve conflicts. |
|
@markstos I wasn't aware of #204 until you pointed it out. It is doing part of what is being done in this PR. The differences between #218 and #204 are:
In terms of referencing these changes in the SAML spec I found this:
when referring to signing/encryption keys in the SAML metadata https://www.oasis-open.org/committees/download.php/56785/sstc-saml-metadata-errata-2.0-wd-05.pdf I am happy to base this change off #204 or go as is, if you can let me know what your preference is. |
|
@richjharris your approach seems more flexible, although the author of #204, @austburn is welcome to weigh in. One thing I noticed in this PR is when using |
|
It's been a while since I've been active on this change -- initially I threw together #204 to address a looming cert rollover. #218 seems to provide more flexibility and I like the ability to poll for cert changes 👍 . I'm fine if this change represents the availability to support cert rollover as it's supported my many other SAML libs. |
|
@markstos the way I use the function version of the I've had a look at where |
richjharris
force-pushed
the
multiple-dynamic-certificates
branch
from
a5411ac
to
3b0a4a6
Compare
|
@markstos I've rebased this PR from master but I haven't made any changes on making the function async pending your feedback |
In our organisation we roll the signing certificate for our ADFS servers every year. During the roll over period the server provides two certificates which may be valid, so when a SAML response is provided it is valid if it is signed with either of those signatures. This change has two methods that can be used when `passport-saml` is used by a long running service that will persist over the certificate roll over period. The first change is to allow the `cert` configuration key to be an array, this allows for the old and new certificates to be checked during the roll over period. The second change is to allow the `cert` configuration key to be a function that returns the valid certificate or certificates, this allows the service to poll the ADFS server for what the valid certificates are at this moment and update the signing certificates used by `passport-saml` as they change.
richjharris
force-pushed
the
multiple-dynamic-certificates
branch
from
3b0a4a6
to
d3a9bae
Compare
|
@richjharris Let's make the |
|
@markstos I've pushed a commit to make the |
|
This update looks great ! I would love to see it merged. |
|
Indeed something I was just looking for. Hope it gets merged soon! |
|
@richjharris Assuming my doc-update to reflect the async change looks good, I think this is ready to release. 707b315 @cadesalaberry, @kallelat thanks for the peer-feedback. It's helpful to know others are looking for the same feature. |
|
@markstos 👍 looks good. |
|
Released and published
…On Tue, Oct 31, 2017 at 7:03 PM richjharris ***@***.***> wrote:
@markstos <https://github.com/markstos> 👍 looks good.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#218 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AABk5VmvqcB3dbjtceIasnvkCgNXtldRks5sx6cpgaJpZM4NrFTH>
.
|
…-string-signing * commit 'a94fbfa730dd0aca0e0fa2cedcbabbea1765aee6': Upd: Mention ADFS 2016 with NameIDFormatError. (node-saml#242) Support multiple and dynamic signing certificates (node-saml#218)
…url-params * commit 'a94fbfa730dd0aca0e0fa2cedcbabbea1765aee6': Upd: Mention ADFS 2016 with NameIDFormatError. (node-saml#242) Support multiple and dynamic signing certificates (node-saml#218)
* master: (51 commits) start to use the debug module. v0.34.0: release internal: provide unique failure messages for invalid signatures. Fixes node-saml#146 package.json: bump version to 0.33.0 docs: mention that disableRequestAuthnContext helps with AD FS New Feature: allow customizing the name of the strategy. bump version to v0.32.1 README: link to where our Changes are documented. Audience validation README: fix typo `s/ADSF/ADFS/` jshint: fix jshint violation. v0.31.0 release README: update link description for ADFS docs. Upd: Mention ADFS 2016 with NameIDFormatError. (node-saml#242) Support multiple and dynamic signing certificates (node-saml#218) v0.30.0 Ignore .tern-port files Use crypto.randomBytes for ID generation (node-saml#235) BugFix: Fail gracefully when SAML Response is invalid. Fixes node-saml#238 docs: Improve docs for privateKey format. Ref node-saml#230 ... # Conflicts: # README.md # test/samlTests.js # test/tests.js
* master: (51 commits) start to use the debug module. v0.34.0: release internal: provide unique failure messages for invalid signatures. Fixes node-saml#146 package.json: bump version to 0.33.0 docs: mention that disableRequestAuthnContext helps with AD FS New Feature: allow customizing the name of the strategy. bump version to v0.32.1 README: link to where our Changes are documented. Audience validation README: fix typo `s/ADSF/ADFS/` jshint: fix jshint violation. v0.31.0 release README: update link description for ADFS docs. Upd: Mention ADFS 2016 with NameIDFormatError. (node-saml#242) Support multiple and dynamic signing certificates (node-saml#218) v0.30.0 Ignore .tern-port files Use crypto.randomBytes for ID generation (node-saml#235) BugFix: Fail gracefully when SAML Response is invalid. Fixes node-saml#238 docs: Improve docs for privateKey format. Ref node-saml#230 ... # Conflicts: # README.md # test/samlTests.js
…-authn-context * commit 'a94fbfa730dd0aca0e0fa2cedcbabbea1765aee6': Upd: Mention ADFS 2016 with NameIDFormatError. (node-saml#242) Support multiple and dynamic signing certificates (node-saml#218)
In our organisation we roll the signing certificate for our ADFS servers every year. During the roll over period the server provides two certificates which may be valid, so when a SAML response is provided it is valid if it is signed with either of those signatures.
This change has two methods that can be used when
passport-samlis used by a long running service that will persist over the certificate roll over period. The first change is to allow thecertconfiguration key to be an array, this allows for the old and new certificates to be checked during the roll over period. The second change is to allow thecertconfiguration key to be a function that returns the valid certificate or certificates, this allows the service to poll the ADFS server for what the valid certificates are at this moment and update the signing certificates used bypassport-samlas they change.