Remote idp metadata #136
Remote idp metadata #136
Conversation
|
@pitbulk @inakidelamadrid @luisvm can you review? lgtm 👍 thanks @bonyiii for documentation |
|
👍 except my comment |
|
I updated the pr accordingly. |
|
@luisvm @pwnetrationguru can you review please? lgtm 👍 |
|
👍 looks good! |
|
Not validating a cert feels risky to me, but it defaults to validate and doesn't call Is metadata exchange part of the SAML 2.0 spec? If not in the SAML 2.0 spec, where is this being widely used and discussed? Maybe @pitbulk can speak to that. |
|
When entities exchange metadatas, the issuer can sign it so the receptor can validates that the content is not modified, but the receptor may know previously the public cert in order to validate the signature, or use a cert that is related to a specific domain. If not a MITM can take the metadata, sign it with a valid cert and hack the system. In SAML world, entities exchanges the metadatas manually in a first approach, later they uses metadata-registration components that will handle all the issues related to the validation of the metadata. Said this, Im ok with this PR |
|
@pitbulk, can we discuss this in our next meeting. @Lordnibbler and I have some questions to clear up. |
| @@ -53,8 +53,6 @@ def saml_settings | |||
| end | |||
| ``` | |||
|
|
|||
| What's left at this point, is to wrap it all up in a controller and point the initialization and consumption URLs in OneLogin at that. A full controller example could look like this: | |||
|
I'm ok with that except remove the part of the doc that I commented. |
|
I restored those line in the readme. |
|
@pitbulk @pwnetrationguru did you decide you were confident to merge this? |
|
👍 |
Download and parse IdP metadata.
Based on https://github.com/onelogin/ruby-saml/pull/21/files