simplesamlphp and apache wildcard
240 views
Skip to first unread message
Sfrangebob Dr Zeta
Oct 10, 2014, 9:47:37 PM10/10/14
to simple...@googlegroups.com
HI,
I have a webapp that can be used from every of my domains (with a webapp.* wildcard in my apache config) .
For example: webapp.domain.com, webapp.domain.org, webapp.domain.net, webapp.otherdomain.eu, webapp.otherdomain.com, ...
I have created an SP entity for this webapp without specifying an EntityID in order to obtain a dynamic metadata.
This scenario works but IdP requires metadata of each possible EntityID (one for each domain).
Does somebody know a way to avoid the manual metadata creation of each possible SP entity?
Thanks
Regards
Marco Ferrante
Oct 11, 2014, 3:14:04 AM10/11/14
to simple...@googlegroups.com
It is not exact: the IdP wants different AssertionConsumerService URLs, but all the ACSs can be bundle under the same entityId. Thus in this scenario dynamic metadata could be a problem, not a solution. If the list of domains is stable, you can include in the SP metadata all ACSs: $metadata['https://webapp.domain.com'] = array( ... 'AssertionConsumerService' => array( 0 => array( 'Binding' => ... 'Location' => 'http://webapp.domain.com/Shibboleth.sso/SAML2/POST', ), 1 => array( 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', 'Location' => 'http://webapp.otherdomain.com/Shibboleth.sso/SAML2/POST', ), ... Unfortunately, if also the list of domains is "dynamic" the problem is IdP-specific: neither simpleSAMLphp or Shibboleth supports wildcard in order to validate ACS URL.
Peter Schober
Oct 12, 2014, 12:27:49 PM10/12/14
to simple...@googlegroups.com
* Sfrangebob Dr Zeta <zkm...@gmail.com> [2014-10-11 03:47]:
requests from the SP replace ACS URL checking in SAML metadata.
I.e., if the IDP is of this implementation /and/ is able/willing to
make that configuration change, you wouldn't need to supply SAML
metadata for each of those "domains". But assuming this setting is
specific to an SP you'd still be limited to one entityID, or you'd
have the same problem all over again only moving it to Shib config.
Something like that will likely be possible with SSP as well, with
some coding.
-peter
> Does somebody know a way to avoid the manual metadata creation of
> each possible SP entity?
The Shibboleth IDP supports configuration to allow signed authn
> each possible SP entity?
requests from the SP replace ACS URL checking in SAML metadata.
I.e., if the IDP is of this implementation /and/ is able/willing to
make that configuration change, you wouldn't need to supply SAML
metadata for each of those "domains". But assuming this setting is
specific to an SP you'd still be limited to one entityID, or you'd
have the same problem all over again only moving it to Shib config.
Something like that will likely be possible with SSP as well, with
some coding.
-peter
Dick Visser
Oct 21, 2014, 5:41:34 AM10/21/14
to simplesamlphp
as the SP for multiple web sites.
In our IdP we therefore have to add the metadata for all those web sites.
However, because the metadata file itself is PHP code, you can limit
the amount of work by wrapping a foreach loop around the metadata.
<?php
foreach(array('tnc2011.terena.org', 'tnc2012.terena.org',
'tnc2013.terena.org', 'tnc2014.terena.org', 'tnc15.terena.org') as $v)
{
$metadata["https://$v/simplesaml/module.php/saml/sp/metadata.php/default-sp"]
= array (
'AssertionConsumerService' =>
"https://$v/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp",
'SingleLogoutService' =>
"https://$v/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp",
'authproc' => array(
etc etc
It's not perfect in the sense that it is not a wild card solution, but
it greatly reduces the amount of work when you want to add a new SP.
Now it's a matter of just adding one entry to the array.
Dick
--
Dick Visser
Sr. System & Networking Engineer
TERENA Secretariat
Singel 468 D, 1017 AW Amsterdam
The Netherlands
Reply all
Reply to author
Forward
0 new messages