Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix SAML2 endpoints registration when base_url includes a path #483

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix SAML2 endpoints registration when base_url includes a path #483

wants to merge 2 commits into from

Conversation

guillomovitch
Copy link

This PR fixes issue #179.

I didn't fix metadata endpoint registration, tough.

@bajnokk
Copy link
Contributor

bajnokk commented Jan 22, 2025
edited
Loading

Note there is a related PR #451 , which tries to take care of all backend and frontend modules. I'd be happy if you could point out, if there are any key differences.

Guillaume Rousse added 2 commits January 22, 2025 11:39
URL handling simplification
a4147e0 
declare only relative URLs in configuration, so as to fix registration
when base URL contains a path (issue IdentityPython#179), and expose those endpoints
to outer world by appending base URL when needed.

This is much simpler than parsing absolute URLs, and more consistent
with OIDC frontends behaviour.
make metadata endpoints configurable as others
ee5c0a9 
Rather have a working metadata exposure endpoint registration, whatever base url is,
than try to deduce it from entityID.
@guillomovitch guillomovitch force-pushed the hotfix/fix-saml2-endpoints-handling branch from 1cbaf03 to ee5c0a9 Compare January 22, 2025 10:39
@guillomovitch
Copy link
Author

guillomovitch commented Jan 22, 2025
edited
Loading

Thanks for the remark, I didn't noticed this PR. It seems we have now three different issues (#148, #179, #404), and two different PR (#451, #483) about the same problem :)

Regarding your own PR, it seems far more complete than mine, which was a quick'n'dirty fix for my own use case. I lack knowledge of SATOSA internals, but if I understand correctly, you modified routing to fix the issue. This strategies let persists inconsistencies between modules configurations, some using absolute URLs (SAML backend and frontends), ie:

endpoints:
assertion_consumer_service:
- [<base_url>/<name>/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']

while others (idpy-oidc fronted) using relatives one, ie:

endpoint:
provider_info:
path: .well-known/openid-configuration

I'd personally prefer to enforce the same overall convention for configuration files. And I also feel easier to deduce absolute URLs by appending a relative one to base URL, when needed, than to try to deduce relative URLs from absolute ones, using complex parsing.

BTW, your PR doesn't cover the SAML2 backend, which has to be fixed as well, at least for the reload-metada endpoint, and probably for others too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@guillomovitch @bajnokk