-
Notifications
You must be signed in to change notification settings - Fork 672
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add note about Entity IDs and their validity check in upgrade docs for v2.0 #2014
Conversation
It makes sense to me to validate the URI in all places. |
I wouldn't say the one for WebSingleSignOn was left out on purpose, but I think we can be fairly sure that Was this PR marked WIP on purpose, or can I just merge it? |
It seems the first paragraph is merged already. The second point "EntityIDs are now checked for validity..." remains to be merged. I am happy to split that out and merge it to 2.2+. |
I have only added "EntityIDs are now checked for validity...". Other lines that are now "green" are from someone else / previous commits... :/. Another thing that still bothers me is that in the admin UI there is no indication that something is wrong with the entity. The entity is simply not listed. I was thinking to add a kind of "alert" functionality in admin UI when something is wrong, if you would wait a bit more :$... Currently we only see this kind of error in logs. |
6004a77
to
58bf8db
Compare
Bumps the production-dependencies group with 1 update: [simplesamlphp/simplesamlphp-assets-base](https://github.com/simplesamlphp/simplesamlphp-assets-base). Updates `simplesamlphp/simplesamlphp-assets-base` from 2.1.13 to 2.2.0 - [Commits](simplesamlphp/simplesamlphp-assets-base@v2.1.13...v2.2.0) --- updated-dependencies: - dependency-name: simplesamlphp/simplesamlphp-assets-base dependency-type: direct:production update-type: version-update:semver-minor dependency-group: production-dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [phpunit/phpunit](https://github.com/sebastianbergmann/phpunit) from 10.5.17 to 10.5.18. - [Release notes](https://github.com/sebastianbergmann/phpunit/releases) - [Changelog](https://github.com/sebastianbergmann/phpunit/blob/10.5.18/ChangeLog-10.5.md) - [Commits](sebastianbergmann/phpunit@10.5.17...10.5.18) --- updated-dependencies: - dependency-name: phpunit/phpunit dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Fix config.php.dist coding standards * Remove unused use-statements --------- Co-authored-by: Tim van Dijen <tvdijen@gmail.com>
I'll leave this as is for now (only add note that the entity ID is now checked for valid URI). |
Closed in ff350e9 |
While updating SimpleSAMLphp instance from v1.19 to v2.0.10, I have encountered an "...entity ID is not a valid RFC3986 compliant URI" error.
I don't see this noted in the upgrade docs, so here is a suggestion to add it.
But, it also seems to me that there is inconsistency in the check for the IdP part. For example, when I visit a federation overview page at ".../module.php/admin/federation", the hosted IdP with invalid entity ID was not listed, and in the logs I saw: "Federation: Error loading saml20-idp: 'some invalid entity id' is not a valid RFC3986 compliant URI. This check is done here:
simplesamlphp/modules/admin/src/Controller/Federation.php
Line 223 in 59a2c36
However, the whole SSO authentication process using that IdP goes without any issues. The check for entity ID being valid URI is not done in WebBrowserSingleSignOn::singleSignOnService()
simplesamlphp/modules/saml/src/Controller/WebBrowserSingleSignOn.php
Line 132 in 59a2c36
Was this left out on purpose?
On the other hand, for any hosted SP, this check is done in SP constructor and you can't initiate authn if entity ID is not valid:
simplesamlphp/modules/saml/src/Auth/Source/SP.php
Line 100 in 59a2c36