Stop auto-generating entity IDs

7f8fd4c0 · Tim van Dijen · 9ae22119 · 7f8fd4c0 · 7f8fd4c0 · 7f8fd4c0
Commit 7f8fd4c0 authored 3 years ago by Tim van Dijen
--- a/docs/simplesamlphp-artifact-idp.md
+++ b/docs/simplesamlphp-artifact-idp.md
@@ -35,7 +35,7 @@ Enabling artifact on the IdP
 To enable the IdP to send artifacts, you must add the `saml20.sendartifact` option to the `saml20-idp-hosted` metadata file:
-    $metadata['__DYNAMIC:1__'] = [
+    $metadata['urn:x-simplesamlphp:example-idp'] = [
        [....]
        'auth' => 'example-userpass',
        'saml20.sendartifact' => TRUE,
@@ -89,7 +89,7 @@ You may therefore have to add the webserver certificate to the metadata that you
 To do this, you need to set the `https.certificate` option in the `saml20-idp-hosted` metadata file.
 That option should refer to a file containing the webserver certificate.
-    $metadata['__DYNAMIC:1__'] = [
+    $metadata['urn:x-simplesamlphp:example-idp'] = [
        [....]
        'auth' => 'example-userpass',
        'saml20.sendartifact' => TRUE,

--- a/docs/simplesamlphp-authproc.md
+++ b/docs/simplesamlphp-authproc.md
@@ -98,15 +98,17 @@ The filters in `authproc.sp` will be executed at the SP side regardless of which
 Filters can be added both in `hosted` and `remote` metadata. Here is an example of a filter added in a metadata file:
-	'__DYNAMIC:1__' => [
+```php
-		'host'				=>	'__DEFAULT_',
+'urn:x-simplesamlphp:example-idp' => [
-		'privatekey'		=>	'example.org.pem',
+    'host' => '__DEFAULT_',
-		'certificate'		=>	'example.org.crt',
+    'privatekey' => 'example.org.pem',
-		'auth'				=>	'feide',
+    'certificate' => 'example.org.crt',
-		'authproc' => [
+    'auth' => 'feide',
-			40 => 'core:TargetedID',
+    'authproc' => [
-		],
+        40 => 'core:TargetedID',
-	]
+    ],
+]
+```
 The example above is in `saml20-idp-hosted`.

--- a/docs/simplesamlphp-customauth.md
+++ b/docs/simplesamlphp-customauth.md
@@ -120,7 +120,7 @@ In that file you should locate the `auth`-option for your IdP, and change it to
    <?php
    /* ... */
-    $metadata['__DYNAMIC:1__'] = [
+    $metadata['urn:x-simplesamlphp:example-idp'] = [
        /* ... */
        /*
         * Authentication source to use. Must be one that is configured in

--- a/docs/simplesamlphp-ecp-idp.md
+++ b/docs/simplesamlphp-ecp-idp.md
@@ -19,7 +19,7 @@ Enabling ECP Profile on the IdP
 To enable the IdP to send ECP assertions you must add the `saml20.ecp` option to the `saml20-idp-hosted` metadata file:
-    $metadata['__DYNAMIC:1__'] = [
+    $metadata['urn:x-simplesamlphp:example-idp'] = [
        [....]
        'auth' => 'example-userpass',
        'saml20.ecp' => true,

--- a/docs/simplesamlphp-googleapps.md
+++ b/docs/simplesamlphp-googleapps.md
@@ -130,18 +130,20 @@ If you want to setup a SAML 2.0 IdP for Google Workspace, you need to configure
 This is the configuration of the IdP itself. Here is some example config:
-	// The SAML entity ID is the index of this config. Dynamic:X will automatically generate an entity ID (recommended)
+```php
-	$metadata['__DYNAMIC:1__'] => [
+// The SAML entity ID is the index of this config.
+$metadata['urn:x-simplesamlphp:example-idp'] => [
-		// The hostname of the server (VHOST) that this SAML entity will use.
-		'host'				=>	'__DEFAULT__',
+    // The hostname of the server (VHOST) that this SAML entity will use.
+    'host' => '__DEFAULT__',
-		// X.509 key and certificate. Relative to the cert directory.
-		'privatekey'   => 'googleworkspaceidp.pem',
+    // X.509 key and certificate. Relative to the cert directory.
-		'certificate'  => 'googleappsidp.crt',
+    'privatekey'   => 'googleworkspaceidp.pem',
+    'certificate'  => 'googleappsidp.crt',
-		'auth' => 'example-userpass',
-	]
+    'auth' => 'example-userpass',
+]
+```
 **Note**: You can only have one entry in the file with host equal to `__DEFAULT__`, therefore you should replace the existing entry with this one, instead of adding this entry as a new entry in the file. 

--- a/docs/simplesamlphp-hok-idp.md
+++ b/docs/simplesamlphp-hok-idp.md
@@ -29,7 +29,7 @@ Enabling HoK SSO Profile on the IdP
 To enable the IdP to send HoK assertions you must add the `saml20.hok.assertion` option to the `saml20-idp-hosted` metadata file:
-    $metadata['__DYNAMIC:1__'] = [
+    $metadata['urn:x-simplesamlphp:example-idp'] = [
        [....]
        'auth' => 'example-userpass',
        'saml20.hok.assertion' => TRUE,

--- a/docs/simplesamlphp-idp.md
+++ b/docs/simplesamlphp-idp.md
@@ -142,7 +142,7 @@ The SAML 2.0 IdP is configured by the metadata stored in
 This is a minimal configuration:
    <?php
-    $metadata['__DYNAMIC:1__'] = [
+    $metadata['urn:x-simplesamlphp:example-idp'] = [
        /*
         * The hostname for this IdP. This makes it possible to run multiple
         * IdPs from the same configuration. '__DEFAULT__' means that this one

--- a/docs/simplesamlphp-metadata-extensions-rpi.md
+++ b/docs/simplesamlphp-metadata-extensions-rpi.md
@@ -72,7 +72,7 @@ Service Provider:
 Identity Provider:
-    $metadata['__DYNAMIC:1__'] = [
+    $metadata['urn:x-simplesamlphp:example-idp'] = [
        'host' => '__DEFAULT__',
        ...
        'RegistrationInfo' => [

--- a/docs/simplesamlphp-modules.md
+++ b/docs/simplesamlphp-modules.md
@@ -154,7 +154,7 @@ this:
 To use this authentication source in a SAML 2.0 IdP, set the
 `auth`-option of the IdP to `'example-static'`:
-    '__DYNAMIC:1__' => [
+    'urn:x-simplesamlphp:example-idp' => [
      'host' => '__DEFAULT__',
      'privatekey' => 'example.org.pem',
      'certificate' => 'example.org.crt',

--- a/docs/simplesamlphp-reference-idp-hosted.md
+++ b/docs/simplesamlphp-reference-idp-hosted.md
@@ -18,9 +18,7 @@ Both files have the following format:
    ];
    /* ... */
-The entity ID should be an URI. It can, also be on the form
+The entity ID should be an URI.
-`__DYNAMIC:1__`, `__DYNAMIC:2__`, `...`. In that case, the entity ID
-will be generated automatically.
 The `host` option is the hostname of the IdP, and will be used to
 select the correct configuration. One entry in the metadata-list can
@@ -392,11 +390,8 @@ These are some examples of IdP metadata
 ### Minimal SAML 2.0 IdP ###
    <?php
-    /*
-     * We use the '__DYNAMIC:1__' entity ID so that the entity ID
+    $metadata['urn:x-simplesamlphp:example-idp'] = [
-     * will be autogenerated.
-     */
-    $metadata['__DYNAMIC:1__'] = [
        /*
         * We use '__DEFAULT__' as the hostname so we won't have to
         * enter a hostname.
@@ -425,7 +420,7 @@ $republishTarget = $dom->createElementNS('http://eduid.cz/schema/metadata/1.0',
 $republishRequest->appendChild($republishTarget);
 $ext = [new \SAML2\XML\Chunk($republishRequest)];
-$metadata['__DYNAMIC:1__'] = [
+$metadata['urn:x-simplesamlphp:example-idp'] = [
    'host' => '__DEFAULT__',
    'certificate' => 'example.org.crt',
    'privatekey' => 'example.org.pem',

--- a/metadata-templates/saml20-idp-hosted.php
+++ b/metadata-templates/saml20-idp-hosted.php
@@ -6,7 +6,7 @@
 * See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-hosted
 */
-$metadata['__DYNAMIC:1__'] = [
+$metadata['urn:x-simplesamlphp:idp'] = [
    /*
     * The hostname of the server (VHOST) that will use this SAML entity.
     *

--- a/modules/core/docs/authproc_targetedid.md
+++ b/modules/core/docs/authproc_targetedid.md
@@ -34,7 +34,7 @@ A custom attribute:
 Internet2 compatible `eduPersontargetedID`:
    /* In saml20-idp-hosted.php. */
-    $metadata['__DYNAMIC:1__'] = [
+    $metadata['urn:x-simplesamlphp:example-idp'] = [
        'host' => '__DEFAULT__',
        'auth' => 'example-static',

--- a/modules/saml/docs/keyrollover.md
+++ b/modules/saml/docs/keyrollover.md
@@ -48,7 +48,7 @@ In `config/authsources.php`:
 In `metadata/saml20-idp-hosted.php`:
-    $metadata['__DYNAMIC:1__'] = [
+    $metadata['urn:x-simplesamlphp:idp'] = [
        'host' => '__DEFAULT__',
        'auth' => 'example-userpass',
        'privatekey' => 'old.pem',
@@ -96,7 +96,7 @@ In `config/authsources.php`:
 In `metadata/saml20-idp-hosted.php`:
-    $metadata['__DYNAMIC:1__'] = [
+    $metadata['urn:x-simplesamlphp:idp'] = [
        'host' => '__DEFAULT__',
        'auth' => 'example-userpass',
        'certificate' => 'new.crt',

--- a/src/SimpleSAML/Metadata/MetaDataStorageHandlerPdo.php
+++ b/src/SimpleSAML/Metadata/MetaDataStorageHandlerPdo.php
@@ -159,16 +159,10 @@ class MetaDataStorageHandlerPdo extends MetaDataStorageSource
        }
        $tableName = $this->getTableName($set);
-        // according to the docs, it looks like *-idp-hosted metadata are the types
-        // that allow the __DYNAMIC:*__ entity id.  with the current table design
-        // we need to lookup the specific metadata entry but also we need to lookup
-        // any dynamic entries to see if the dynamic hosted entity id matches
        if (substr($set, -10) == 'idp-hosted') {
            $stmt = $this->db->read(
-                "SELECT entity_id, entity_data FROM {$tableName} "
+                "SELECT entity_id, entity_data FROM {$tableName} WHERE (entity_id LIKE :entityId)",
-                . "WHERE (entity_id LIKE :dynamicId OR entity_id = :entityId)",
+                ['entityId' => $entityId]
-                ['dynamicId' => '__DYNAMIC%', 'entityId' => $entityId]
            );
        } else {
            // other metadata types should be able to match on entity id

--- a/src/SimpleSAML/Metadata/MetaDataStorageSource.php
+++ b/src/SimpleSAML/Metadata/MetaDataStorageSource.php
@@ -349,9 +349,8 @@ abstract class MetaDataStorageSource
    /**
-     * Updates the metadata entry's entity id and returns the modified array.  If the entity id is __DYNAMIC:*__ a
+     * Updates the metadata entry's entity id and returns the modified array.
-     * the current url is assigned.  If it is explicit the entityid array key is updated to the entityId that was
+     * If it is explicit the entityid array key is updated to the entityId that was provided.
-     * provided.
     *
     * @param string $metadataSet a metadata set (saml20-idp-hosted, saml20-sp-remote, etc)
     * @param string $entityId the entity id we are modifying
@@ -362,16 +361,9 @@ abstract class MetaDataStorageSource
     */
    protected function updateEntityID(string $metadataSet, string $entityId, array $metadataEntry): array
    {
+        // set the entityid metadata array key to the provided entity id
        $modifiedMetadataEntry = $metadataEntry;
+        $modifiedMetadataEntry['entityid'] = $entityId;
-        // generate a dynamic hosted url
-        if (preg_match('/__DYNAMIC(:[0-9]+)?__/', $entityId)) {
-            $modifiedMetadataEntry['entityid'] = $this->getDynamicHostedUrl($metadataSet);
-        } else {
-            // set the entityid metadata array key to the provided entity id
-            $modifiedMetadataEntry['entityid'] = $entityId;
-        }
        return $modifiedMetadataEntry;
    }
 }