Feature: IDP metadata URL should not be mandatory #552
Comments
|
+1 for this feature. I am porting a legacy implementation to use this library. In this setup we didn't store the metadata URL, only the entity ID and certificate. Here's how I (ab)use the package to work in this scenario: idpCertificate := "-----BEGIN CERTIFICATE-----\nABCDEF\n-----END CERTIFICATE-----"
block, _ := pem.Decode([]byte(idpCertificate))
entityID := "https://sts.windows.net/388aeae7-c30d-4117-9f1c-f0d87071cf2c/"
sp := saml.ServiceProvider{
MetadataURL: mustParseURL("https://sp.example.com/saml2/metadata"),
AcsURL: mustParseURL("https://sp.example.com/saml2/acs"),
IDPMetadata: &saml.EntityDescriptor{
EntityID: entityID,
IDPSSODescriptors: []saml.IDPSSODescriptor{
{
SSODescriptor: saml.SSODescriptor{
RoleDescriptor: saml.RoleDescriptor{
KeyDescriptors: []saml.KeyDescriptor{
{
KeyInfo: saml.KeyInfo{
X509Data: saml.X509Data{
X509Certificates: []saml.X509Certificate{
{
Data: base64.StdEncoding.EncodeToString(block.Bytes),
},
},
},
},
},
},
},
},
},
},
},
}
assertion, err := sp.ParseXMLResponse(xmlres, []string{requestID})I would love it if the package provided something more ergonomic and supported to achieve this. |
|
@crewjam Sorry to disturb you. I see there is some level of interest (based on thumbs-up). Would you consider looking at @svennjegac's PR? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I have a case, where I don't have access to IDP metadata.
We need to use certificate specified in SAML response assertion, and we should use it only if it matches preconfigured certificate fingerprint.
I implemented this feature in the next PR, would be really thankful if you could support it: #551
The text was updated successfully, but these errors were encountered: