search

plp050452 / simplesamlphp

Automatically exported from code.google.com/p/simplesamlphp
Other
0 stars 0 forks source link

Processor for renaming SP entity ID #461

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
Purpose of code changes on this branch:

Processor for renaming remote SP entity ID on IdP.

Scenario: SP domain and entity ID are changed. Some users may have IdP 
bookmarks with old SP entity ID's, and we want to make transition painless.

Presumption is that we have old and new sp-remote metadata on IdP, and that 
AssertionConsumerService URL's in old metadata are changed to new domain.

I'll write some documentation if you accept idea for this processor.

When reviewing my code changes, please focus on:

Should I change something else in state besides SPMetadata, Destination, and 
core:SP? I don't change saml:ConsumerURL because it should be changed in 
sp-remote metadata to new value.

After the review, I'll merge this branch into:
/trunk

Original issue reported on code.google.com by comel...@gmail.com on 2 Dec 2011 at 1:43

Attachments:

GoogleCodeExporter commented 8 years ago 
I don't think I like the approach of replacing the destination in the middle of 
the authentication process. I would prefer to avoid making that an operation 
that must be supported for backwards-compatibility.

The URLs that are used to trigger IdP-initiated SSO are relatively well-formed, 
so maybe it would be possible to do the redirects with the web server?

Original comment by olavmrk@gmail.com on 6 Dec 2011 at 8:19

GoogleCodeExporter commented 8 years ago 
There are some more scenarios to cover, but yes, all can be covered with 
redirects. I'm closing this.

Original comment by comel...@gmail.com on 6 Dec 2011 at 9:10

GoogleCodeExporter commented 8 years ago 
Here is another solution for the same problem, because it's simpler to handle 
this in SSP than with redirects in web server. This processor only redirects to 
the new SP URL, optionally appending path from RelayState.

Original comment by comel...@gmail.com on 15 Dec 2011 at 2:09

Attachments:

GoogleCodeExporter commented 8 years ago 
I'm sorry, but I still don't like the idea of adding this as a "core" feature 
in simpleSAMLphp. (Even though this method is much better than the previous - 
here nothing really strange happens during the authentication process, we just 
drop the request and redirect to another host.)

Original comment by olavmrk@gmail.com on 19 Dec 2011 at 10:18

GoogleCodeExporter commented 8 years ago 
OK, closing this.

Original comment by comel...@gmail.com on 19 Dec 2011 at 1:11