Make metadata expiration time configurable#1860
Make metadata expiration time configurable#1860AramMutluWork wants to merge 2 commits intoOpenConext:mainfrom
Conversation
MKodde
left a comment
MKodde
left a comment
There was a problem hiding this comment.
A nice and useful new contribution!
I see a lot of nice things, but looking at this critically, I have some suggestion/questions:
- Now that the exp time is no longer hard coded; would we not need some validation/verification if a correct value is configured? What happens with negative values, floating points, string values,... This validation does not need to be very comprehensive, and by looking at your type definition, the application only allows for integer values. But that can still be a negative value. Maybe check for that in the MetadataRenderer constructor?
- I'd love to see the MetaDataRendererTest be extended with a couple of additional tests to verify that the expected expiration time matches with the one configured
| $addRequestedAttributes, | ||
| 86400 |
There was a problem hiding this comment.
Aside from fixing the test by passing the new parameter, it might be very useful to add a couple of tests that verify the expiration time ends up correctly in the metadata?
|
@AramMutluWork could you please take a look at @MKodde's suggestions? Also, a merge conflict has arisen (probably because the config file location has changes for Symfony 5). Once these issues are addressed, I'd like to merge this for 7.2. |
|
I think allowing a little clock-skew would be appropriate here. SAML2INT allows a clock-skew between 3-5 minutes for SAML messages. For SAML metadata (SAML2MDIOP) there is no such requirement, but I think it makes sense to allow some skew. I'm keen to know how SURF looks at this. Wasn't there a setting for clock-skew already? Or am I mixing up with the SimpleSAMLphp-project that has this setting? |
5 participants
The expiration time of the metadata defines the validUntil until attribute in the metadata of Engineblock. By default this a constant in the code set to 86.400 seconds (24 hours).
At the request of one of the connected Service Providers, we want to increase this value to 1,814,400 seconds (21 days). If something goes wrong with the automatic reading of our metadata, they will have more time to fix this error before users experience login problems.
To avoid having to set this up again with every release, we want to make this configurable, I left the default at 24 hours as before.