From 7f8fd4c0f296d205d552dc2fc45ddf32dbfd5b9a Mon Sep 17 00:00:00 2001
From: Tim van Dijen <tvdijen@gmail.com>
Date: Sat, 11 Jun 2022 21:04:13 +0200
Subject: [PATCH] Stop auto-generating entity IDs
---
docs/simplesamlphp-artifact-idp.md | 4 +--
docs/simplesamlphp-authproc.md | 20 +++++++-------
docs/simplesamlphp-customauth.md | 2 +-
docs/simplesamlphp-ecp-idp.md | 2 +-
docs/simplesamlphp-googleapps.md | 26 ++++++++++---------
docs/simplesamlphp-hok-idp.md | 2 +-
docs/simplesamlphp-idp.md | 2 +-
docs/simplesamlphp-metadata-extensions-rpi.md | 2 +-
docs/simplesamlphp-modules.md | 2 +-
docs/simplesamlphp-reference-idp-hosted.md | 13 +++-------
metadata-templates/saml20-idp-hosted.php | 2 +-
modules/core/docs/authproc_targetedid.md | 2 +-
modules/saml/docs/keyrollover.md | 4 +--
.../Metadata/MetaDataStorageHandlerPdo.php | 10 ++-----
.../Metadata/MetaDataStorageSource.php | 16 +++---------
15 files changed, 47 insertions(+), 62 deletions(-)
diff --git a/docs/simplesamlphp-artifact-idp.md b/docs/simplesamlphp-artifact-idp.md
index 75286aeaf..6d993fa9e 100644
--- a/docs/simplesamlphp-artifact-idp.md
+++ b/docs/simplesamlphp-artifact-idp.md
@@ -35,7 +35,7 @@ Enabling artifact on the IdP
To enable the IdP to send artifacts, you must add the `saml20.sendartifact` option to the `saml20-idp-hosted` metadata file:
- $metadata['__DYNAMIC:1__'] = [
+ $metadata['urn:x-simplesamlphp:example-idp'] = [
[....]
'auth' => 'example-userpass',
'saml20.sendartifact' => TRUE,
@@ -89,7 +89,7 @@ You may therefore have to add the webserver certificate to the metadata that you
To do this, you need to set the `https.certificate` option in the `saml20-idp-hosted` metadata file.
That option should refer to a file containing the webserver certificate.
- $metadata['__DYNAMIC:1__'] = [
+ $metadata['urn:x-simplesamlphp:example-idp'] = [
[....]
'auth' => 'example-userpass',
'saml20.sendartifact' => TRUE,
diff --git a/docs/simplesamlphp-authproc.md b/docs/simplesamlphp-authproc.md
index 478070c5c..a8ab604b7 100644
--- a/docs/simplesamlphp-authproc.md
+++ b/docs/simplesamlphp-authproc.md
@@ -98,15 +98,17 @@ The filters in `authproc.sp` will be executed at the SP side regardless of which
Filters can be added both in `hosted` and `remote` metadata. Here is an example of a filter added in a metadata file:
- '__DYNAMIC:1__' => [
- 'host' => '__DEFAULT_',
- 'privatekey' => 'example.org.pem',
- 'certificate' => 'example.org.crt',
- 'auth' => 'feide',
- 'authproc' => [
- 40 => 'core:TargetedID',
- ],
- ]
+```php
+'urn:x-simplesamlphp:example-idp' => [
+ 'host' => '__DEFAULT_',
+ 'privatekey' => 'example.org.pem',
+ 'certificate' => 'example.org.crt',
+ 'auth' => 'feide',
+ 'authproc' => [
+ 40 => 'core:TargetedID',
+ ],
+]
+```
The example above is in `saml20-idp-hosted`.
diff --git a/docs/simplesamlphp-customauth.md b/docs/simplesamlphp-customauth.md
index 83013f086..cb3fe9773 100644
--- a/docs/simplesamlphp-customauth.md
+++ b/docs/simplesamlphp-customauth.md
@@ -120,7 +120,7 @@ In that file you should locate the `auth`-option for your IdP, and change it to
<?php
/* ... */
- $metadata['__DYNAMIC:1__'] = [
+ $metadata['urn:x-simplesamlphp:example-idp'] = [
/* ... */
/*
* Authentication source to use. Must be one that is configured in
diff --git a/docs/simplesamlphp-ecp-idp.md b/docs/simplesamlphp-ecp-idp.md
index 566df182d..c61818dcc 100644
--- a/docs/simplesamlphp-ecp-idp.md
+++ b/docs/simplesamlphp-ecp-idp.md
@@ -19,7 +19,7 @@ Enabling ECP Profile on the IdP
To enable the IdP to send ECP assertions you must add the `saml20.ecp` option to the `saml20-idp-hosted` metadata file:
- $metadata['__DYNAMIC:1__'] = [
+ $metadata['urn:x-simplesamlphp:example-idp'] = [
[....]
'auth' => 'example-userpass',
'saml20.ecp' => true,
diff --git a/docs/simplesamlphp-googleapps.md b/docs/simplesamlphp-googleapps.md
index e0ac5fc4f..4086994a0 100644
--- a/docs/simplesamlphp-googleapps.md
+++ b/docs/simplesamlphp-googleapps.md
@@ -130,18 +130,20 @@ If you want to setup a SAML 2.0 IdP for Google Workspace, you need to configure
This is the configuration of the IdP itself. Here is some example config:
- // The SAML entity ID is the index of this config. Dynamic:X will automatically generate an entity ID (recommended)
- $metadata['__DYNAMIC:1__'] => [
-
- // The hostname of the server (VHOST) that this SAML entity will use.
- 'host' => '__DEFAULT__',
-
- // X.509 key and certificate. Relative to the cert directory.
- 'privatekey' => 'googleworkspaceidp.pem',
- 'certificate' => 'googleappsidp.crt',
-
- 'auth' => 'example-userpass',
- ]
+```php
+// The SAML entity ID is the index of this config.
+$metadata['urn:x-simplesamlphp:example-idp'] => [
+
+ // The hostname of the server (VHOST) that this SAML entity will use.
+ 'host' => '__DEFAULT__',
+
+ // X.509 key and certificate. Relative to the cert directory.
+ 'privatekey' => 'googleworkspaceidp.pem',
+ 'certificate' => 'googleappsidp.crt',
+
+ 'auth' => 'example-userpass',
+]
+```
**Note**: You can only have one entry in the file with host equal to `__DEFAULT__`, therefore you should replace the existing entry with this one, instead of adding this entry as a new entry in the file.
diff --git a/docs/simplesamlphp-hok-idp.md b/docs/simplesamlphp-hok-idp.md
index 7bf375e1b..872fc05bf 100644
--- a/docs/simplesamlphp-hok-idp.md
+++ b/docs/simplesamlphp-hok-idp.md
@@ -29,7 +29,7 @@ Enabling HoK SSO Profile on the IdP
To enable the IdP to send HoK assertions you must add the `saml20.hok.assertion` option to the `saml20-idp-hosted` metadata file:
- $metadata['__DYNAMIC:1__'] = [
+ $metadata['urn:x-simplesamlphp:example-idp'] = [
[....]
'auth' => 'example-userpass',
'saml20.hok.assertion' => TRUE,
diff --git a/docs/simplesamlphp-idp.md b/docs/simplesamlphp-idp.md
index 20847f247..2ba329a11 100644
--- a/docs/simplesamlphp-idp.md
+++ b/docs/simplesamlphp-idp.md
@@ -142,7 +142,7 @@ The SAML 2.0 IdP is configured by the metadata stored in
This is a minimal configuration:
<?php
- $metadata['__DYNAMIC:1__'] = [
+ $metadata['urn:x-simplesamlphp:example-idp'] = [
/*
* The hostname for this IdP. This makes it possible to run multiple
* IdPs from the same configuration. '__DEFAULT__' means that this one
diff --git a/docs/simplesamlphp-metadata-extensions-rpi.md b/docs/simplesamlphp-metadata-extensions-rpi.md
index f824f6ae2..9371cd89c 100644
--- a/docs/simplesamlphp-metadata-extensions-rpi.md
+++ b/docs/simplesamlphp-metadata-extensions-rpi.md
@@ -72,7 +72,7 @@ Service Provider:
Identity Provider:
- $metadata['__DYNAMIC:1__'] = [
+ $metadata['urn:x-simplesamlphp:example-idp'] = [
'host' => '__DEFAULT__',
...
'RegistrationInfo' => [
diff --git a/docs/simplesamlphp-modules.md b/docs/simplesamlphp-modules.md
index c53527ff4..15fcdf08d 100644
--- a/docs/simplesamlphp-modules.md
+++ b/docs/simplesamlphp-modules.md
@@ -154,7 +154,7 @@ this:
To use this authentication source in a SAML 2.0 IdP, set the
`auth`-option of the IdP to `'example-static'`:
- '__DYNAMIC:1__' => [
+ 'urn:x-simplesamlphp:example-idp' => [
'host' => '__DEFAULT__',
'privatekey' => 'example.org.pem',
'certificate' => 'example.org.crt',
diff --git a/docs/simplesamlphp-reference-idp-hosted.md b/docs/simplesamlphp-reference-idp-hosted.md
index ea64aa3b3..25d7fc725 100644
--- a/docs/simplesamlphp-reference-idp-hosted.md
+++ b/docs/simplesamlphp-reference-idp-hosted.md
@@ -18,9 +18,7 @@ Both files have the following format:
];
/* ... */
-The entity ID should be an URI. It can, also be on the form
-`__DYNAMIC:1__`, `__DYNAMIC:2__`, `...`. In that case, the entity ID
-will be generated automatically.
+The entity ID should be an URI.
The `host` option is the hostname of the IdP, and will be used to
select the correct configuration. One entry in the metadata-list can
@@ -392,11 +390,8 @@ These are some examples of IdP metadata
### Minimal SAML 2.0 IdP ###
<?php
- /*
- * We use the '__DYNAMIC:1__' entity ID so that the entity ID
- * will be autogenerated.
- */
- $metadata['__DYNAMIC:1__'] = [
+
+ $metadata['urn:x-simplesamlphp:example-idp'] = [
/*
* We use '__DEFAULT__' as the hostname so we won't have to
* enter a hostname.
@@ -425,7 +420,7 @@ $republishTarget = $dom->createElementNS('http://eduid.cz/schema/metadata/1.0',
$republishRequest->appendChild($republishTarget);
$ext = [new \SAML2\XML\Chunk($republishRequest)];
-$metadata['__DYNAMIC:1__'] = [
+$metadata['urn:x-simplesamlphp:example-idp'] = [
'host' => '__DEFAULT__',
'certificate' => 'example.org.crt',
'privatekey' => 'example.org.pem',
diff --git a/metadata-templates/saml20-idp-hosted.php b/metadata-templates/saml20-idp-hosted.php
index 79dc926d6..bcc7aeaf6 100644
--- a/metadata-templates/saml20-idp-hosted.php
+++ b/metadata-templates/saml20-idp-hosted.php
@@ -6,7 +6,7 @@
* See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted
*/
-$metadata['__DYNAMIC:1__'] = [
+$metadata['urn:x-simplesamlphp:idp'] = [
/*
* The hostname of the server (VHOST) that will use this SAML entity.
*
diff --git a/modules/core/docs/authproc_targetedid.md b/modules/core/docs/authproc_targetedid.md
index a73fbd4a4..deb00c725 100644
--- a/modules/core/docs/authproc_targetedid.md
+++ b/modules/core/docs/authproc_targetedid.md
@@ -34,7 +34,7 @@ A custom attribute:
Internet2 compatible `eduPersontargetedID`:
/* In saml20-idp-hosted.php. */
- $metadata['__DYNAMIC:1__'] = [
+ $metadata['urn:x-simplesamlphp:example-idp'] = [
'host' => '__DEFAULT__',
'auth' => 'example-static',
diff --git a/modules/saml/docs/keyrollover.md b/modules/saml/docs/keyrollover.md
index 0bc9891bb..e211960c8 100644
--- a/modules/saml/docs/keyrollover.md
+++ b/modules/saml/docs/keyrollover.md
@@ -48,7 +48,7 @@ In `config/authsources.php`:
In `metadata/saml20-idp-hosted.php`:
- $metadata['__DYNAMIC:1__'] = [
+ $metadata['urn:x-simplesamlphp:idp'] = [
'host' => '__DEFAULT__',
'auth' => 'example-userpass',
'privatekey' => 'old.pem',
@@ -96,7 +96,7 @@ In `config/authsources.php`:
In `metadata/saml20-idp-hosted.php`:
- $metadata['__DYNAMIC:1__'] = [
+ $metadata['urn:x-simplesamlphp:idp'] = [
'host' => '__DEFAULT__',
'auth' => 'example-userpass',
'certificate' => 'new.crt',
diff --git a/src/SimpleSAML/Metadata/MetaDataStorageHandlerPdo.php b/src/SimpleSAML/Metadata/MetaDataStorageHandlerPdo.php
index bbd5d99e3..249d4a434 100644
--- a/src/SimpleSAML/Metadata/MetaDataStorageHandlerPdo.php
+++ b/src/SimpleSAML/Metadata/MetaDataStorageHandlerPdo.php
@@ -159,16 +159,10 @@ class MetaDataStorageHandlerPdo extends MetaDataStorageSource
}
$tableName = $this->getTableName($set);
-
- // according to the docs, it looks like *-idp-hosted metadata are the types
- // that allow the __DYNAMIC:*__ entity id. with the current table design
- // we need to lookup the specific metadata entry but also we need to lookup
- // any dynamic entries to see if the dynamic hosted entity id matches
if (substr($set, -10) == 'idp-hosted') {
$stmt = $this->db->read(
- "SELECT entity_id, entity_data FROM {$tableName} "
- . "WHERE (entity_id LIKE :dynamicId OR entity_id = :entityId)",
- ['dynamicId' => '__DYNAMIC%', 'entityId' => $entityId]
+ "SELECT entity_id, entity_data FROM {$tableName} WHERE (entity_id LIKE :entityId)",
+ ['entityId' => $entityId]
);
} else {
// other metadata types should be able to match on entity id
diff --git a/src/SimpleSAML/Metadata/MetaDataStorageSource.php b/src/SimpleSAML/Metadata/MetaDataStorageSource.php
index 2d3fc0246..6f2864ca9 100644
--- a/src/SimpleSAML/Metadata/MetaDataStorageSource.php
+++ b/src/SimpleSAML/Metadata/MetaDataStorageSource.php
@@ -349,9 +349,8 @@ abstract class MetaDataStorageSource
/**
- * Updates the metadata entry's entity id and returns the modified array. If the entity id is __DYNAMIC:*__ a
- * the current url is assigned. If it is explicit the entityid array key is updated to the entityId that was
- * provided.
+ * Updates the metadata entry's entity id and returns the modified array.
+ * If it is explicit the entityid array key is updated to the entityId that was provided.
*
* @param string $metadataSet a metadata set (saml20-idp-hosted, saml20-sp-remote, etc)
* @param string $entityId the entity id we are modifying
@@ -362,16 +361,9 @@ abstract class MetaDataStorageSource
*/
protected function updateEntityID(string $metadataSet, string $entityId, array $metadataEntry): array
{
+ // set the entityid metadata array key to the provided entity id
$modifiedMetadataEntry = $metadataEntry;
-
- // generate a dynamic hosted url
- if (preg_match('/__DYNAMIC(:[0-9]+)?__/', $entityId)) {
- $modifiedMetadataEntry['entityid'] = $this->getDynamicHostedUrl($metadataSet);
- } else {
- // set the entityid metadata array key to the provided entity id
- $modifiedMetadataEntry['entityid'] = $entityId;
- }
-
+ $modifiedMetadataEntry['entityid'] = $entityId;
return $modifiedMetadataEntry;
}
}
--
GitLab