Skip to content

Fix SAML2 endpoints registration when base_url includes a path#483

Open
guillomovitch wants to merge 2 commits intoIdentityPython:masterfrom
Renater:hotfix/fix-saml2-endpoints-handling
Open

Fix SAML2 endpoints registration when base_url includes a path#483
guillomovitch wants to merge 2 commits intoIdentityPython:masterfrom
Renater:hotfix/fix-saml2-endpoints-handling

Conversation

@guillomovitch
Copy link

@guillomovitch guillomovitch commented Jan 21, 2025

This PR fixes issue #179.

I didn't fix metadata endpoint registration, tough.

@bajnokk
Copy link
Contributor

bajnokk commented Jan 22, 2025
edited
Loading

Note there is a related PR #451 , which tries to take care of all backend and frontend modules. I'd be happy if you could point out, if there are any key differences.

@guillomovitch guillomovitch force-pushed the hotfix/fix-saml2-endpoints-handling branch from 1cbaf03 to ee5c0a9 Compare January 22, 2025 10:39
@guillomovitch
Copy link
Author

guillomovitch commented Jan 22, 2025
edited
Loading

Thanks for the remark, I didn't noticed this PR. It seems we have now three different issues (#148, #179, #404), and two different PR (#451, #483) about the same problem :)

Regarding your own PR, it seems far more complete than mine, which was a quick'n'dirty fix for my own use case. I lack knowledge of SATOSA internals, but if I understand correctly, you modified routing to fix the issue. This strategies let persists inconsistencies between modules configurations, some using absolute URLs (SAML backend and frontends), ie:

endpoints:
assertion_consumer_service:
- [<base_url>/<name>/acs/post, 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST']

while others (idpy-oidc fronted) using relatives one, ie:

endpoint:
provider_info:
path: .well-known/openid-configuration

I'd personally prefer to enforce the same overall convention for configuration files. And I also feel easier to deduce absolute URLs by appending a relative one to base URL, when needed, than to try to deduce relative URLs from absolute ones, using complex parsing.

BTW, your PR doesn't cover the SAML2 backend, which has to be fixed as well, at least for the reload-metada endpoint, and probably for others too.

@guillomovitch
URL handling simplification
1c10fdb 
declare only relative URLs in configuration, so as to fix registration
when base URL contains a path (issue IdentityPython#179), and expose those endpoints
to outer world by appending base URL when needed.

This is much simpler than parsing absolute URLs, and more consistent
with OIDC frontends behaviour.
@guillomovitch
make metadata endpoints configurable as others
404fed0 
Rather have a working metadata exposure endpoint registration, whatever base url is,
than try to deduce it from entityID.
@guillomovitch guillomovitch force-pushed the hotfix/fix-saml2-endpoints-handling branch from ee5c0a9 to 404fed0 Compare August 14, 2025 13:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@guillomovitch @bajnokk