SAML2 metadata is not found from EntitiesDescriptor (plural) with idp_metadata_parser()

[pre]

When federation's metadata contains multiple <EntityDescriptor> (singular) tags under an <EntitiesDescriptor> (plural) tag, then idp_metadata_parser() is unable to locate any of the XPaths.

For example:

single_signon_service_url() tries to match with XPath "/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleSignOnService[@Binding=\"#{binding}\"]/@Location" and founds nothing.

With XPath /md:EntitiesDescriptor/md:EntityDescriptor/[..same..] an <md:SingleSignOnService> is found.

Given that the metadata needs to be refreshed quite often, I am planning to fill settings from environment variables (settings.idp_sso_target_url, settings.idp_cert etc) and then refresh the environment variables according to the federation's metadata. This means I need to write a custom wrapper for idp_metadata_parser().

There should be a way to use idp_metadata_parser()so that it is aware of multiple <EntityDescriptor> tags under a single <EntitiesDescriptor>.

The metadata looks like:

<EntitiesDescriptor ..>
  <ds:Signature ..>
  <EntityDescriptor ..>
  <EntityDescriptor ..>
  <EntityDescriptor ..>
</EntitiesDescriptor>  

[pitbulk]

In this toolkit the settings let you configure 1 unique IdP so the idp_metadata_parser is supposed to handle 1 IdP metadata, parse it and save it in the settings.

But the toolkit let you connect an SP to several IdPs, 1 possible solution is to store each settings in separate files, and on the SP endpoints add an additional parameter at the end of the url that will let you determine what setting to use in each time.

In this scenario I'm agree that you will need to process EntitiesDescriptor with multiple EntityDescriptor, but the way to do that can be having a method that will process the EntitiesDescriptor, filtering what EntityDescriptor should be proceesed using the idp_metadata_parser method and saving it in the right setting file.

[pre]

Thanks!

In case you're curious, the test environment's metadata looks like this (the production metadata is bigger): https://haka.funet.fi/metadata/haka_test_metadata_signed.xml

Although this metadata has multiple <EntityDescriptor> tags, it only has one IdP, ie. only one of the <EntityDescriptor>s has the SingleSignOnService definition.

Since my SP needs only one particular IdP in production, I can figure out a workaround. However, it would be neat if ruby-saml was be able to parse metadata which begins with <EntitiesDescriptor> :)

[pitbulk]

You can have a method (get_idp_metadata_from_entities_descriptor) , similar to get_idp_metadata, that has an entityId parameter,

That method will process the EntitiesDescriptor XML, find the one that matches the entityId and then parse the piece of string with the parse method.

If more people requires that, I'm open to include that method on the IdpMetadataParser class, but in my experience, work with metadata federations is hard (the uk federation metadata for example contains thousand of metadatas), so sometimes is possible and makes more sense to play with the specific metadata URL directly rather than ask for the metadata in the set handled by the federation.

[pre]

That's a good idea, thanks!