Open srenatus opened 7 years ago
rithujohn191
commented
7 years ago Hi @srenatus,
Currently the SAML metadata discovery is not on our roadmap but we hope that https://github.com/coreos/dex/issues/968 should handle this requirement. #968 will be picked up and worked soon.
srenatus
commented
7 years ago @rithujohn191 thanks for the insights! :)
Btw, I believe there used to be a roadmap doc here -- Is this still something I could take a peek at somewhere?
srenatus
commented
6 years ago Thinking about this again, it seems like the right approach would be to make the SAML connector more like an go-oidc client -- treating IdP metadata analogously to jwks here.
This would address the issue of the SAML IdP rotating their certificates periodically, and Dex's SAML connector keeping up with that -- instead of using hardcoded IdP certs.
Also: Is this something you'd accept as a PR?
Currently, the SAML connector is configured using either a hardcoded cert PEM file or data (that is read once when the connector is configured). IdP that rotate their signing keys publish the certs of their keys via metadata.
I saw that there's a TODO comment regarding metadata already -- What's the state of this? Is this on any roadmap?
I've also wondered how to do this in Dex. Would it be an acceptable thing to spawn a goroutine in the
Open()method? Or would this be covered by #968, and an external process that polls the IdP's metadata and sets the certificate(s) to be used for signature verification?Thanks! 😃