Support for EntitiesDescriptor element

[tamlyn]

The metadata from testshib.org has a root element of EntitiesDescriptor which contains multiple EntityDescriptor elements. I don't know how common this is but it should probably be supported.

PS: thank you for making this bundle available. I'm so happy not to have to create it myself!

[Spoon4]

In your case, there is an entity descriptor for the SP and another for your IDP. I guess you only need the IDP metadata to configure it in the bundle. So you can simply extract this part (between l.10 and 156) and paste it in a separate file. Configure the IDP with this new extracted file in the bundle. It should work

[tamlyn]

Thanks. That is what I did but I think it would make the bundle easier to use if it was able to parse most XML metadata formats without modification. I'm new to SAML and it's quite a lot to take in. Anything that makes it easier for other people like me is a big plus!

[tmilos]

You can learn a lot by reading the specs :) Wasn't aware of this EntitiesDescriptor by now. Thanks for the issue.

We'll decompose this issue into two steps.

First is being able to parse such document and that's up to the https://github.com/aerialship/lightsaml Have created an issue there https://github.com/aerialship/lightsaml/issues/11

Second is being able to set such metadata for IDP you like to use here in SamlSpBundle. But I'm a bit puzzled how to solve and approach that. EntitiesDescriptor does not have entityID and thus it does not define only one entity/IDP, so theoretically EntitiesDescriptor might contain several IDP descriptors.

Here's what saml-metadata-2.0-os.pdf states in 4.1.1 Publication

The XML document provided at the well-known location MUST describe the metadata only for the entity represented by the unique identifier (that is, the root element MUST bean with an entityID matching the location). If other entities need to be described, the

element MUST be used. Thus the element MUST NOT be used in documents published using this mechanism, since a group of entities are not defined by such an identifier.

Any suggestions how to handle such metadata? Maybe beside just specifying the metadata with EntitiesDescriptor holding multiple EntitiesDescriptor(s) also specify the entityID (or somehow differently define the IDP from it) of the IDP you want to use?

On the other hand, not quite sure if it would be possible to use all IDPs defined in it. This approach would definitely require more changes and significant destabilization and refactoring.

[tmilos]

Data model in https://github.com/aerialship/lightsaml/issues/11 is finished Here functional implementation can start now.

Please, anybody, of you few following this... any wishes/thoughts how EntitiesDescriptor should be handled in SamlSpBundle with respect to its current configuration scheme? Check my previous comment.

[tamlyn]

I think having an optional entity_id config value in security.yml makes sense. Trying to load a metadata file with multiple EntityDescriptors without specifying the entity_id could raise an exception.

[tmilos]

Great, those were my thoughts too. Just wanted a confirmation. Thanks

[tmilos]

Added aerialship/lightsaml/#19 to ease up retriving of EDs by entityID