Dynamically specifying entityID?
90 views
Skip to first unread message
Andrew Isherwood
Sep 29, 2022, 7:52:29 AM9/29/22
to SimpleSAMLphp
Hi all
I'm building SSO into a pre-existing application. One of the requirements is to allow the application admin to define the IdP via the admin UI. I'm 99% of the way there. The final thing I'm stuck on is the entityID, as specified in authsources.php.
Currently this is set to null, which has worked fine when I've been testing with an IdP who's entityID is the same as its metadata URL, since SimpleSAMLphp falls back to using the URL if no entityID is specified.
However, for cases where the URL and entityID are not the same, I need to be able to allow an admin to specify an entityID via my UI and then use that when authenticating. I've had a look through the relevant parts of SimpleSAMLphp and wasn't able to find anywhere where I could pass an entityID, I've been looking around lib/SimpleSAML/IdP.php, specifically 'authenticate' and on from there, but no luck.
Is there any provision for this? If not, does anyone have any suggestions for ways to achieve what I'm after? Currently all I'm coming up with is dynamically rebuilding authsources.php whenever the associated UI is updated, which feels nasty.
Any ideas at all would be gratefully received!
Cheers
Andrew
Tim van Dijen
Sep 29, 2022, 10:52:48 AM9/29/22
to SimpleSAMLphp
Hey Andrew,
You can pass an IDP to the login-method:
- Tim
Op donderdag 29 september 2022 om 13:52:29 UTC+2 schreef andrew.i...@ptfs-europe.com:
Tim van Dijen
Sep 29, 2022, 10:56:38 AM9/29/22
to SimpleSAMLphp
I think I misread your question.. This is about the entityID, not the 'idp' setting.
Note that the authsources.php file is a PHP-file, so you can dynamically set the `entityID` setting..
- Tim
Op donderdag 29 september 2022 om 16:52:48 UTC+2 schreef Tim van Dijen:
Peter Brand
Sep 29, 2022, 11:24:03 AM9/29/22
to simple...@googlegroups.com
* Andrew Isherwood <andrew.i...@ptfs-europe.com> [2022-09-29 13:52]:
this is the wrong model: Your entityID is the globally unique name for
your system. Why should the name of your system differ depending on
who you're taking to?
I.e., it's not for the IDP (you're federating with) to mandate what
your entityID is. Stop offering that option and the problem goes away
without loss of any functionality.
-peter
> I'm building SSO into a pre-existing application. One of the requirements
> is to allow the application admin to define the IdP via the admin UI. I'm
> 99% of the way there. The final thing I'm stuck on is the entityID, as
> specified in authsources.php.
Not what you'll want to hear but I'd like to add that I think that
> is to allow the application admin to define the IdP via the admin UI. I'm
> 99% of the way there. The final thing I'm stuck on is the entityID, as
> specified in authsources.php.
this is the wrong model: Your entityID is the globally unique name for
your system. Why should the name of your system differ depending on
who you're taking to?
I.e., it's not for the IDP (you're federating with) to mandate what
your entityID is. Stop offering that option and the problem goes away
without loss of any functionality.
-peter
Andrew Isherwood
Sep 29, 2022, 12:02:01 PM9/29/22
to SimpleSAMLphp
Hi all
Thanks for your responses, very much appreciated.
I think I've completely misled you! In my post, I referred to the entityID in authsources.php. At that point, I was incorrectly under the impression that the value specified there was somehow related to the entityID that is supplied in an IdP's metadata. Having done more reading of the docs today, I see that is not the case! The entityID I should have been referring to is the one that is supplied in an IdP's metadata. I realise that the issue I thought I was facing is a complete non-issue and the experiments I've been carrying out today have verified this.
So, in short, sorry for wasting your time, I really appreciate you taking the time to respond!
Cheers
Andrew
Reply all
Reply to author
Forward
0 new messages