onelogin-saml-bundle icon indicating copy to clipboard operation
onelogin-saml-bundle copied to clipboard
verified publisher icon nbgrp

How to handle rolling keys for Microsoft Entra ID for example

Open Huluti opened this issue 1 year ago • 3 comments

Hello,

Thank you for maintaining this bundle. I have two questions:

  • How can we manage rolling keys for a specific IDP? I know there's the x509certMulti option that can take multiple keys but since it's a configuration, I'm not sure if it can be updated easily on the fly? Ideally, I'd have to retrieve the keys myself and store them in the certs folder. But it seems that this folder can only hold SP keys?
  • Would it be possible to have a better way of customizing the path to the certs folder? Because having to define an ONELOGIN_CUSTOMPATH isn't really Symfony-oriented. An option in the bundle configuration file would be ideal.

That's it! I hope that's clear and I'm open to help.

Huluti avatar Nov 23 '24 08:11 Huluti

Ok parseRemoteXML and injectIntoSettings would be perfect, just don't really see how to use them with the bundle for now...

Huluti avatar Dec 08 '24 09:12 Huluti

Just experimenting, but something like this would be useful I think: https://github.com/nbgrp/onelogin-saml-bundle/compare/2.0...Huluti:onelogin-saml-bundle:xml-parser

Ideally cache should be used also, ... I will see if I can continue my experiment for my own usage. And if you think that it's something good maybe it could be considered for this bundle?

Any thought @a-menshchikov ?

My goal is to have a config that look like this:

$containerConfigurator->extension('nbgrp_onelogin_saml', [
    'use_proxy_vars' => true,
    'idp_metadata' => [
        'MICROSOFT_ENTRA_ID' => [
            'xml_url' => 'https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml',
        ]
    ],
    'sp_metadata' => [
        'entityId' => '<request_scheme_and_host>/saml/metadata',
        'assertionConsumerService' => [
            'url' => '<request_scheme_and_host>/saml/acs',
            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
        ],
        'singleLogoutService' => [
            'url' => '<request_scheme_and_host>/saml/logout',
            'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
        ],
        'privateKey' => 'MIIE...'
    ],
]);

Huluti avatar Dec 08 '24 10:12 Huluti

Hmm, SSO with Entra ID could require to let users configure their own Metadata URL (in db). In this case, it would also be good to be capable to load an IDP/SP config on the fly...

Huluti avatar Dec 08 '24 15:12 Huluti