-
-
Notifications
You must be signed in to change notification settings - Fork 308
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generic metadata, not tied to an IdP #176
Comments
There are ways to handle the approach of 1 unique SP serving multiple IdPs.
|
Sure, those are reasonable options for the auth endpoints. I'm asking specifically about the metadata endpoint. Do you 100% need the IdP configuration in order to generate the metadata? |
@pitbulk resurrecting old issue, but why do you think this is the worst way to do things? I am just looking at implementing this at the moment. Just wondering what the pitfalls were. I have a recollection of some IdPs not having different Issuer URIs across tenants (maybe WS-Federation?)... but have not gotten that far yet. |
Method 2 will require you to:
In addition, you will need to implement something in order to avoid tenant A registering the IdP Entity ID of tenant B in order to try to impersonate it. Is important to isolate properly tenants, see for example this severe bug Office 365 experienced: |
Consider a situation where
python3-saml
is being used to service many SAML-enabled users across multiple IdPs. As the library requires a completeSettings
object to generate the metadata, every organization with an IdP configuration needs their own distinct metadata endpoint (possibly distinguished by just a query parameter, but still we need to load up their IdP configuration before we can return the metadata). Is this a fundamental restriction of SAML, or could this library support a "one-size-fits-all" metadata endpoint to be shared by customers regardless of their IdP?The text was updated successfully, but these errors were encountered: