christophs78
commented
1 month ago .. when you find my thoughts useful i may provide a PR for this.
Open christophs78 opened 1 month ago
christophs78
commented
1 month ago .. when you find my thoughts useful i may provide a PR for this.
Since https://github.com/cdaecke/md_saml/commit/6c035429459c19c8c389a23fe23fdf41dcb6e120 SAML-Metadata is only delivered to the client with Typo3-BE-login.
https://stackoverflow.com/questions/38962290/security-concerns-with-providing-saml-metadata-on-public-url say´s there is not reason to hide SAML-metadata. But i expect someone thought it was a good idea to hide SAML-metadata without Typo3-BE-login.
Why should SAML-metadata be available without Typo3-BE-login? To allow an IDP to automatically read up-2-date Typo3-SAML-metadata in intervalls.
md_saml generates attributes like validUntil into the SAML-metadata. This is a good thing. But it requires manual work when manually materializing SAML-metadata. We would avoid this by allowing the IDP to automatically read up-2-date Typo3-SAML-metadata.