laravel-saml2 icon indicating copy to clipboard operation
laravel-saml2 copied to clipboard

Published 20 hours ago verified publisher icon 24Slides

Thoughts on Multiple IDP certificates support?

Open Rkallenkoot opened this issue 3 years ago • 4 comments

I believe this is the x509certMulti settings in OneLogin.

From their docs:

IdP with multiple certificates In some scenarios the IdP uses different certificates for signing/encryption, or is under key rollover phase and more than one certificate is published on IdP metadata.

Rkallenkoot avatar May 11 '22 19:05 Rkallenkoot

I believe this is the x509certMulti settings in OneLogin.

From their docs:

IdP with multiple certificates

In some scenarios the IdP uses different certificates for signing/encryption, or is under key rollover phase and more than one certificate is published on IdP metadata.

Do you personally need this? We have over 10 vendors and we didn't need it, so far.

I'm open for PRs though :)

breart avatar May 11 '22 19:05 breart

We've had key rollovers happen in the past, I'm currently migrating to this package. However I do not need it right now.

But perhaps it would be nice to match the OneLogin settings instead of only offering the idp_cert_x509. What do you think ? I'm curious what you think is right approach for the package to be honest.

Rkallenkoot avatar May 11 '22 22:05 Rkallenkoot

I think having this would be definitely a plus, but it comes with a cost, primarily the managing part. Right now you can simply copy & paste a single certificate to a console command as an option, for multiple certificates we would need to create a more advanced/additional console command to manage the existing ones.

I planned to rewrite the way "tenants" are being managed via CLI, to improve UX and reduce mistakes, if nobody implements it faster than I, then I could potentially add multiple certificates/rotation to the scope.

breart avatar May 12 '22 17:05 breart

For the record we would definitely benefit from this. I currently have a vendor that has 6 different certificates (all still valid) in their metadata. If I understand correctly, I have no way of knowing which one they will use, so I'd need to proceed by trial and error, and I have no guarantee that they won't change at some point.

I also had one do rollover when a certificate expired, so we had to change on our end as soon as they actually switched. With multicert we could have added the new one ahead of time and prevent user login error for a few hours.

I planned to rewrite the way "tenants" are being managed via CLI, to improve UX and reduce mistakes

I'm not sure if that's what you're thinking, but I guess most of the configuration (including the multiple certificates) could be done by copy/pasting the metadata URL and automatically extract information for it.

nicolus avatar Jul 26 '23 13:07 nicolus