Do not import SAML 1.x endpoints

OpenConext / OpenConext-manage

Stores and publishes metadata of all entities known to OpenConext

Apache License 2.0

7 stars 10 forks source link

Do not import SAML 1.x endpoints #287

Closed phavekes closed 1 month ago

phavekes commented 1 month ago

This issue is imported from pivotal - Originaly created at Apr 12, 2019 by Thijs Kinkhorst

The metadata import imports also SAML 1.x endpoints. E.g. when importing https://samltest.id/saml/providers

This is useless, obsolete and generates noise. So any endpoint can be skipped that is not SAML 2.0.

phavekes commented 1 month ago

@thijskh it is not clear for me what to exclude when you import the URL https://samltest.id/saml/providers. The `protocolSupportEnumeration` supports both 1.0 and 2.0. (Okke Harsta - May 7, 2019)

phavekes commented 1 month ago

Get the following result when importing SP "https://sp.tshhosting.com/shibboleth" from metadata url "https://metadata.surfconext.nl/edugain-downstream.xml" (Thijs Kinkhorst - May 28, 2019)

phavekes commented 1 month ago

@thijskh there are tests for this. See https://github.com/OpenConext/OpenConext-manage/blob/master/manage-server/src/test/java/manage/format/ImporterTest.java#L200.

The reason why the 1.0 bindings are valid is because they are marked as valid enum values in https://github.com/OpenConext/OpenConext-deploy/blob/master/roles/manage-server/files/metadata_configuration/saml20_sp.schema.json#L9 (Okke Harsta - May 28, 2019)

phavekes commented 1 month ago

I removed the saml 1.0 bindings in OpenConext-deploy and re-deployed manage. Fixed the import. (Okke Harsta - May 28, 2019)