Mahara

Allow metadata refresh url to also record validateFingerprint value via SAML instance config form

Bug #1895590 reported by Robert Lyon
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
Wishlist
Unassigned
Mahara 21.10.0

Bug Description

Currently we can fetch metadata from IdP via the metadata refresh url but we can't verify what we fetch as being valid.

Metadata can be signed with a signing certificate and that certificate has a fingerprint

With the metadata refresh system we can fetch the metadata file and check that the fingerprint we have recorded for it matches the one it was signed with.

This is useful to make sure that we are actually fetching and processing the correct file.

What we need to do to expand the usefulness of the metadata refresh system are:
1) Be able to record the fingerprint value (optional) along side the refresh url

2) Make sure that we only fetch each refresh url once per cron run (eg if two or more Institutions use the same metadata url)

3) Make sure that if the metadata url fails to fetch a valid xml file to send an email to admins alerting them of this fact

4) If the IdP metadata has been updated and signed with a new certificate our metadata refresh will reject the file. We will need to make sure that the system handles 'could not verify signature using fingerprint' errors and alerts a mahara admin that the fingerprint needs to be updated

Kristina Hoeppner (kris-hoeppner)
Changed in mahara:
status: New → Confirmed
summary: Allow metadata refresh url to also also record validateFingerprint value
- via sAML instance config form
+ via SAML instance config form
tags: added: auth
Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "master" branch: https://reviews.mahara.org/11393

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/11393
Committed: https://git.mahara.org/mahara/mahara/commit/a45bb397c43059402a0c98cb9f53463fb400cf93
Submitter: Lisa Seeto (<email address hidden>)
Branch: master

commit a45bb397c43059402a0c98cb9f53463fb400cf93
Author: Robert Lyon <email address hidden>
Date: Tue Oct 20 14:09:29 2020 +1300

Bug 1895590: Adding ability to save / use metadata fingerprint

Change-Id: I125068bd7eb28cd0b5c236721ec585c27f7d8319
Signed-off-by: Robert Lyon <email address hidden>

Lisa Seeto (lisaseeto)
Changed in mahara:
status: Confirmed → Fix Committed
Kristina Hoeppner (kris-hoeppner)
summary: - Allow metadata refresh url to also also record validateFingerprint value
- via SAML instance config form
+ Allow metadata refresh url to also record validateFingerprint value via
+ SAML instance config form
Changed in mahara:
milestone: none → 21.10.0
tags: added: newfeature
Robert Lyon (robertl-9)
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.