Skip to content

Do not accept IDP metadata documents without keys#3315

Merged
jmpesp merged 2 commits intooxidecomputer:mainfrom
jmpesp:require_idp_signing_key
Jun 12, 2023
Merged

Do not accept IDP metadata documents without keys#3315
jmpesp merged 2 commits intooxidecomputer:mainfrom
jmpesp:require_idp_signing_key

Conversation

@jmpesp
Copy link
Contributor

@jmpesp jmpesp commented Jun 6, 2023

Do not initialize a SAML identity provider if the provided IDP metadata document does not have a signing key. The control plane must require and only accept signed assertions.

Fixes #3155

Do not initialize a SAML identity provider if the provided IDP metadata
document does not have a signing key. The control plane must require and
only accept signed assertions.

Fixes oxidecomputer#3155
@jmpesp jmpesp requested a review from david-crespo June 6, 2023 20:17
@luqmana
Copy link
Contributor

luqmana commented Jun 6, 2023

This doesn't actually seem to change signing_keypair to not being an Option? what is actually the relationship between that field and the signing certificate within the IdP metadata?

@jmpesp
Copy link
Contributor Author

jmpesp commented Jun 7, 2023

This doesn't actually seem to change signing_keypair to not being an Option? what is actually the relationship between that field and the signing certificate within the IdP metadata?

My mistake, I should have updated the issue: when @david-crespo and I were talking, I was referring to the IDP metadata signing key, not the SP (aka us) signing key. Our signing key can remain optional.

@jmpesp
Copy link
Contributor Author

jmpesp commented Jun 9, 2023

(note I pushed up a test that was missing from our coverage)

@jmpesp jmpesp merged commit 1e3913b into oxidecomputer:main Jun 12, 2023
@jmpesp jmpesp deleted the require_idp_signing_key branch June 22, 2023 18:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Require signing_keypair on IdP create

3 participants

Comments