SimpleSAML_Session::getIdP() method removed - what to use now?
14 prikaza
Preskoči na prvu nepročitanu poruku
Dick Visser
9. kol 2016. 07:45:0609. 08. 2016.
u simplesamlphp
Hi
On our SP proxy we have an authproc filter that uses the following
code to access IdP metadata:
$entityID = $session->getIdP();
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$idpmeta = $metadata->getMetaData($entityID, 'saml20-idp-remote');
On https://simplesamlphp.org/docs/stable/simplesamlphp-upgrade-notes-1.14
I see that the SimpleSAML_Session::getIdP() method has been removed in
1.14.
Any recommendations on how to achieve the entityID in 1.14 and newer?
Many thanks
DIck
--
Dick Visser
Sr. System & Network Engineer
GÉANT
Want to join us? We're hiring: http://www.geant.org/jobs
On our SP proxy we have an authproc filter that uses the following
code to access IdP metadata:
$entityID = $session->getIdP();
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
$idpmeta = $metadata->getMetaData($entityID, 'saml20-idp-remote');
On https://simplesamlphp.org/docs/stable/simplesamlphp-upgrade-notes-1.14
I see that the SimpleSAML_Session::getIdP() method has been removed in
1.14.
Any recommendations on how to achieve the entityID in 1.14 and newer?
Many thanks
DIck
--
Dick Visser
Sr. System & Network Engineer
GÉANT
Want to join us? We're hiring: http://www.geant.org/jobs
Peter Schober
9. kol 2016. 08:48:1809. 08. 2016.
u simplesamlphp
* Dick Visser <dick....@geant.org> [2016-08-09 13:45]:
method on your authsource with this key
https://simplesamlphp.org/docs/stable/saml:sp#section_3
will give you the IDP's entityID. Full example:
https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api#section_7_1
-peter
> On our SP proxy we have an authproc filter that uses the following
> code to access IdP metadata:
>
> $entityID = $session->getIdP();
[...]
> code to access IdP metadata:
>
> $entityID = $session->getIdP();
> Any recommendations on how to achieve the entityID in 1.14 and newer?
Not sure that applies to your deployment but calling the getAuthData()
method on your authsource with this key
https://simplesamlphp.org/docs/stable/saml:sp#section_3
will give you the IDP's entityID. Full example:
https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api#section_7_1
-peter
Jaime Perez Crespo
9. kol 2016. 12:29:4009. 08. 2016.
u simple...@googlegroups.com
Hi Dick!
Peter is right, as usual. Just a few comments on why this method has been removed and why you have to do it like this now.
The main issue is that a session is just a session, a set of data tied to a browser, but not an authentication status with a particular IdP. The session is always the same, regardless of what IdP authenticated you, if there’s more than one. In fact, sessions allow you to have authentication data for more than one authentication source at the same time. You could, for instance, be authenticated with your SAML auth source to delegate authentication to some IdP, and at the same time be authenticated as administrator with the “admin” auth source. Both things should work simultaneously, even if both auth sources are SAML. That means a “getIdP()” method does not make sense any longer, because, what IdP should you return then, if there’s several?
The place to store all that information is the auth data, which is also indexed by authentication source. So if you want to know which IdP authenticated you, at least you should know what auth source you used. Then, you can just ask the auth source to give you the entityID of the IdP as Peter mentioned.
This was a big change because the session was kind of assuming that there could only be one IdP authenticating you, while all the auth data was stored on a per-authsource basis. Therefore, a lot of methods in SimpleSAML_Session went away to adapt to the new model (where “new” is an euphemism here, actually). Check out the upgrade notes to make sure you are not using any more deprecated or removed methods.
On 09 Aug 2016, at 13:44 PM, Dick Visser <dick....@geant.org> wrote:
> Hi
>
> On our SP proxy we have an authproc filter that uses the following
> code to access IdP metadata:
>
> $entityID = $session->getIdP();
> $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
> $idpmeta = $metadata->getMetaData($entityID, 'saml20-idp-remote');
>
>
> On https://simplesamlphp.org/docs/stable/simplesamlphp-upgrade-notes-1.14
> I see that the SimpleSAML_Session::getIdP() method has been removed in
> 1.14.
>
> Any recommendations on how to achieve the entityID in 1.14 and newer?
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Peter is right, as usual. Just a few comments on why this method has been removed and why you have to do it like this now.
The main issue is that a session is just a session, a set of data tied to a browser, but not an authentication status with a particular IdP. The session is always the same, regardless of what IdP authenticated you, if there’s more than one. In fact, sessions allow you to have authentication data for more than one authentication source at the same time. You could, for instance, be authenticated with your SAML auth source to delegate authentication to some IdP, and at the same time be authenticated as administrator with the “admin” auth source. Both things should work simultaneously, even if both auth sources are SAML. That means a “getIdP()” method does not make sense any longer, because, what IdP should you return then, if there’s several?
The place to store all that information is the auth data, which is also indexed by authentication source. So if you want to know which IdP authenticated you, at least you should know what auth source you used. Then, you can just ask the auth source to give you the entityID of the IdP as Peter mentioned.
This was a big change because the session was kind of assuming that there could only be one IdP authenticating you, while all the auth data was stored on a per-authsource basis. Therefore, a lot of methods in SimpleSAML_Session went away to adapt to the new model (where “new” is an euphemism here, actually). Check out the upgrade notes to make sure you are not using any more deprecated or removed methods.
On 09 Aug 2016, at 13:44 PM, Dick Visser <dick....@geant.org> wrote:
> Hi
>
> On our SP proxy we have an authproc filter that uses the following
> code to access IdP metadata:
>
> $entityID = $session->getIdP();
> $metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
> $idpmeta = $metadata->getMetaData($entityID, 'saml20-idp-remote');
>
>
> On https://simplesamlphp.org/docs/stable/simplesamlphp-upgrade-notes-1.14
> I see that the SimpleSAML_Session::getIdP() method has been removed in
> 1.14.
>
> Any recommendations on how to achieve the entityID in 1.14 and newer?
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Dick Visser
9. kol 2016. 15:46:5009. 08. 2016.
u simplesamlphp
OK I get it.
I'm trying to access the entityID in the process(&$request) part of my
authproc filter.
I guess it's as easy as
$entityID = $request['saml:sp:IdP'];
No need to fiddle with the session.
Tahnks!
Dick
> --
> You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at https://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.
I'm trying to access the entityID in the process(&$request) part of my
authproc filter.
I guess it's as easy as
$entityID = $request['saml:sp:IdP'];
No need to fiddle with the session.
Tahnks!
Dick
> You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at https://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.
Odgovori svima
Odgovori autoru
Proslijedi
0 novih poruka