How to handle rolling keys for Microsoft Entra ID for example
Hello,
Thank you for maintaining this bundle. I have two questions:
- How can we manage rolling keys for a specific IDP? I know there's the
x509certMultioption that can take multiple keys but since it's a configuration, I'm not sure if it can be updated easily on the fly? Ideally, I'd have to retrieve the keys myself and store them in thecertsfolder. But it seems that this folder can only hold SP keys? - Would it be possible to have a better way of customizing the path to the
certsfolder? Because having to define anONELOGIN_CUSTOMPATHisn't really Symfony-oriented. An option in the bundle configuration file would be ideal.
That's it! I hope that's clear and I'm open to help.
Ok parseRemoteXML and injectIntoSettings would be perfect, just don't really see how to use them with the bundle for now...
Just experimenting, but something like this would be useful I think: https://github.com/nbgrp/onelogin-saml-bundle/compare/2.0...Huluti:onelogin-saml-bundle:xml-parser
Ideally cache should be used also, ... I will see if I can continue my experiment for my own usage. And if you think that it's something good maybe it could be considered for this bundle?
Any thought @a-menshchikov ?
My goal is to have a config that look like this:
$containerConfigurator->extension('nbgrp_onelogin_saml', [
'use_proxy_vars' => true,
'idp_metadata' => [
'MICROSOFT_ENTRA_ID' => [
'xml_url' => 'https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml',
]
],
'sp_metadata' => [
'entityId' => '<request_scheme_and_host>/saml/metadata',
'assertionConsumerService' => [
'url' => '<request_scheme_and_host>/saml/acs',
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
],
'singleLogoutService' => [
'url' => '<request_scheme_and_host>/saml/logout',
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
],
'privateKey' => 'MIIE...'
],
]);
Hmm, SSO with Entra ID could require to let users configure their own Metadata URL (in db). In this case, it would also be good to be capable to load an IDP/SP config on the fly...