Update SAML backend metadata configuration

* make metadata endpoint configurable * allow specification of a certificate file for checking the signature

Update SAML backend metadata configuration
* make metadata endpoint configurable * allow specification of a certificate file for checking the signature
1fb917cd · Moser, Maximilian · 946cf0b6 · 1fb917cd · 1fb917cd · 1fb917cd
Commit 1fb917cd authored 1 year ago by Moser, Maximilian
--- a/.gitignore
+++ b/.gitignore
@@ -17,3 +17,6 @@ backend.xml

 # client database
 oidc-clients.json
+
+# deployment-specific configuration
+config/saml-metadata-signing.crt
--- a/README.md
+++ b/README.md
@@ -119,3 +119,5 @@ Here is a collection of links for further resources about SAML and the ACOnet fe
 * [SAML attributes](https://wiki.univie.ac.at/display/federation/Attributes)
 * [Service/entity categories](https://wiki.refeds.org/display/ENT/)
 * [Discovery services](https://wiki.univie.ac.at/display/federation/Discovery+Services)
+* [ACOnet metadata](https://wiki.univie.ac.at/display/federation/Metadata)
+* [ACOnet metadata signing key](https://wiki.univie.ac.at/display/federation/Metadata+Signing+Key)
--- a/config/saml2-backend.yaml
+++ b/config/saml2-backend.yaml
@@ -47,7 +47,8 @@ config:
    # from the centrally managed ACOnet endpoint (and we refresh it every 12h with that cryptic string)
    metadata:
      remote:
-        - url: "https://eduid.at/md/aconet-interfed.xml"
+        - url: !ENV SATOSA_SAML_METADATA_URL
+          cert: !ENV SATOSA_SAML_METADATA_CERT_FILE
          check_validity: true
          disable_ssl_certificate_validation: false
          freshness_period: "P0Y0M0DT12H0M0S"

--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -18,6 +18,9 @@ services:
      - SATOSA_SAML_KEY_FILE
      - SATOSA_SAML_CERT_FILE
      - SATOSA_SAML_DISCOVERY_SERVICE=${SATOSA_SAML_DISCOVERY_SERVICE:-https://eduid.at/ds/wayf/}
+
+      - SATOSA_SAML_METADATA_URL=${SATOSA_SAML_METADATA_URL:-https://eduid.at/md/aconet-interfed.xml}
+      - SATOSA_SAML_METADATA_CERT_FILE
    ports:
      - ${SATOSA_DEPLOYMENT_PORT:-443}:${SATOSA_PORT:-8443}
    volumes:

--- a/env.example
+++ b/env.example
@@ -14,6 +14,8 @@ SATOSA_OIDC_KEY_FILE=ssl/oidc.key
 SATOSA_SAML_KEY_FILE=ssl/saml.key
 SATOSA_SAML_CERT_FILE=ssl/saml.crt
 SATOSA_SAML_DISCOVERY_SERVICE=<base_url>/disco
+SATOSA_SAML_METADATA_URL=https://eduid.at/md/aconet-interfed.xml
+SATOSA_SAML_METADATA_CERT_FILE=

 # ssl/tls files for gunicorn
 SATOSA_GUNICORN_KEY=ssl/gunicorn.key