Add support for importing Metadata via URL

[dsmrt]

It would be nice to have a text field for IdP Metadata Url. This way, instead of copying and pasting the xml, you can point the plugin to the URL and import it from there. This would be nice in cases where the certificates have been updated (but the URL has stayed the same).

Great feature request from: @benjaminkohl Ref: https://github.com/flipboxfactory/saml-sp/issues/38

[dsmrt]

One thought I have is that if the metadata does get cached, maybe there can be certain situations that force it to refresh automatically. I'm just worried something like this may happen again where the metadata gets refreshed at the IDP and nobody is around to update it so people can't access the site.

Originally posted by @benjaminkohl in https://github.com/flipboxfactory/saml-sp/issues/38#issuecomment-570348089

[syska]

This should really be a high priority.

ADFS changes the keys encryption keys often.

The login is broken at the moment ... not really sure why. The XML metabase from the the ADFS metadata endpoint is not really compatible ...

Can't really remember what I did the last time ...

[dsmrt]

Added in 2.1!

I didn’t add a built in way to automatically renew the metadata fetch but i did add a way to run the update via the command line so once you have the provider configured, you can do something like this:

php craft saml-sp/metadata/refresh-with-url <uid>

As shown here: https://saml-sp.flipboxfactory.com/configure/faqs.html#does-the-plugin-support-a-metadata-url

[benjaminkohl]

This issue is coming up again for our client this morning and nobody can log in. I even re-saved the IDP and the other provider in the control panel then ran the above Craft console command with the appropriate uid and it ran successfully but the SSO is still producing the following exception:

2020-03-12 09:19:30 [-][-][1gh7ekc3faucqjmte7bt8getch][error][Exception] Exception: Unable to validate Signature in /home/client/site.com/vendor/simplesamlphp/saml2/src/SAML2/Utils.php:181
Stack trace:
#0 /home/client/site.com/vendor/simplesamlphp/saml2/src/SAML2/Assertion.php(672): SAML2\Utils::validateSignature()
#1 /home/client/site.com/vendor/flipboxfactory/saml-core/src/validators/SignedElement.php(34): SAML2\Assertion->validate()
#2 /home/client/site.com/vendor/flipboxfactory/saml-core/src/validators/Assertion.php(107): flipbox\saml\core\validators\SignedElement->validate()
#3 /home/client/site.com/vendor/flipboxfactory/saml-core/src/validators/Response.php(94): flipbox\saml\core\validators\Assertion->validate()
#4 /home/client/site.com/vendor/flipboxfactory/saml-core/src/validators/Response.php(74): flipbox\saml\core\validators\Response->validateAssertions()
#5 /home/client/site.com/vendor/flipboxfactory/saml-sp/src/controllers/LoginController.php(80): flipbox\saml\core\validators\Response->validate()
#6 [internal function]: flipbox\saml\sp\controllers\LoginController->actionIndex()
#7 /home/client/site.com/vendor/yiisoft/yii2/base/InlineAction.php(57): call_user_func_array()
#8 /home/client/site.com/vendor/yiisoft/yii2/base/Controller.php(157): yii\base\InlineAction->runWithParams()
#9 /home/client/site.com/vendor/craftcms/cms/src/web/Controller.php(178): yii\base\Controller->runAction()
#10 /home/client/site.com/vendor/yiisoft/yii2/base/Module.php(528): craft\web\Controller->runAction()
#11 /home/client/site.com/vendor/craftcms/cms/src/web/Application.php(291): yii\base\Module->runAction()
#12 /home/client/site.com/vendor/yiisoft/yii2/web/Application.php(103): craft\web\Application->runAction()
#13 /home/client/site.com/vendor/craftcms/cms/src/web/Application.php(276): yii\web\Application->handleRequest()
#14 /home/client/site.com/vendor/yiisoft/yii2/base/Application.php(386): craft\web\Application->handleRequest()
#15 /home/client/site.com/public/index.php(28): yii\base\Application->run()
#16 {main}

We are still running v2.1.2 of the plugin. Is there anything in the two releases after that that might fix this?

[dsmrt]

You are using the metadata url option right? Can you try deleting the metadata xml from the text field (leaving the url text field as is) then resaving?

[benjaminkohl]

That's correct. Removing the metadata, then resaving appears to have corrected the issue.

Is there a way we can do this programmatically so that it gets refreshed periodically or just never gets cached? I don't mind if that slows down the login process. Maybe the console command can take care of that and we can run it on a cron job every five minutes (or even every minute). We can't have the SSO going down every few months.

[dsmrt]

This is a bug. If the Metadata URL is present, the metadata XML should be overwritten so we'll get a patch going for that. This will mitigate your issue, then you just run the cron to update this via cli.

[dsmrt]

Found the issue there and pushed it up in 2.1.5. Update saml-core as well.

[benjaminkohl]

Okay, thank you! We updated the plugin and we're putting that console command on a schedule so that should clear things up for the client.

[dsmrt]

No prob @benjaminkohl , sorry for the inconvenience!