search

handnot2 / samly

Elixir Plug library to enable SAML 2.0 SP SSO in Phoenix/Plug applications.
MIT License
125 stars 90 forks source link

Remove the need for supplying a certificate and keyfile if request not signed #16

Closed peterox closed 6 years ago

peterox commented 6 years ago

If sign_requests and sign_metadata is set to false then there should be no need to supply a certificate or key.

handnot2 commented 6 years ago

The default behavior remains the same - SAML request/response signing is on by default. If the following Identity Provider attributes as explicitly set to false, you can skip providing the certfile and keyfile attributes in the Service Provider configuration: sign_requests, sign_metadata, signed_assertion_in_resp and signed_envelopes_in_resp. Here is an example:

service_providers: [
    %{
      id: "do-good-affiliates-sp",
      entity_id: "urn:do-good.org:affiliates-app"
    }
],
identity_providers: [
    %{
      id: "affiliates",
      sp_id: "do-good-affiliates-sp",
      base_url: "http://do-good.org/sso",
      metadata_file: "idp_metadata.xml",
      #pre_session_create_pipeline: MySamlyPipeline,
      #use_redirect_for_req: false,
      sign_requests: false,
      sign_metadata: false,
      signed_assertion_in_resp: false,
      signed_envelopes_in_resp: false,
      allow_idp_initiated_flow: false,
      allowed_target_urls: ["http://do-good.org"]
    }
  ]
peterox commented 6 years ago

Hi there,

My understanding is that the certfile and key in the SP config is ONLY used for signing requests. The certificate in the metadata from the IDP is used to verify signed responses. Is that not correct?

If it is correct then why does signed_assertion_in_resp & signed_envelopes_in_resp need to be false when there is no certfile and/or key??

Peter

handnot2 commented 6 years ago

You are correct! Do you mind sending a PR? Thanks.

handnot2 commented 6 years ago

Thanks. Will update the doc.