-
-
Notifications
You must be signed in to change notification settings - Fork 568
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add sp_cert_multi to facilitate SP cert/key rotation #673
Conversation
@pitbulk this is ready for final review. Let me know what I can do to help get this merged. |
b97bea3
to
a2a0002
Compare
FYI I am using this in production now without issues. |
I was just looking into how to build multi_cert support for SP signing myself and great to see you already did it @johnnyshields . We're interested in getting this upstream, anything we can support in to move this forward? |
@pitbulk what do you think? |
I will be adding this on next ruby-saml release. Hopefully soon. |
@pitbulk any update? I've been using this in prod for 6 different SAML integrations, with IdPs on Azure AD, PingFederate, etc. I think it's safe to merge. |
Sorry for the delay on merging it, I will be more active now with ruby-saml |
Excellent news, thank you! |
Fixes #560
This PR introduces
sp_cert_multi
parameter which is analogous toidp_cert_multi
. It allows developers to have fine-grained control over SP certs and private keys, including:The changes are summarized as follows:
Add
SamlSettings sp_cert_multi
parameter. It has the following shape:(Note: You can use same certs for signing/encryption, and same PK everywhere. It's completely backward compatible with current functionality.)
sp_cert_multi
is mutually exclusive with the following:certificate, certificate_new, private_key
.If
security[:check_sp_cert_expiry]
is true, Ruby Saml automatically uses the first non-expired certificate insp_cert_multi[:signing]
for signing, and only uses private keys associated with non-expired certs insp_cert_multi[:encryption]
for decryption. This is evaluated in realtime, so as soon as your old cert expires your app automatically starts signing with the new one.The validation error
:check_sp_cert_expiration
is now raised only if ALL SP certs are expired. This is a slight behavior change;Settings.certificate
was expired butSettings.certificate_new
was not, an error would be raised.certificate_new
for signing. (This case was not previously in the tests, but I've now added a test for it with the new logic.):check_sp_cert_expiration
now also validates the certificatenot_before
condition; previously it was only validatingnot_after
.If
:check_sp_cert_expiration
is true, we now no longer include expired certs in the generated SP metadata. This is a good practice because having expired certs may cause the IdP system to throw an error, depending on how strictly it does its validation.Refactor so that internal references to
get_sp_cert
,get_sp_private_key
, etc. now point to the new structure of multiple certs.When performing decryption, we now try all private keys under
sp_cert_multi[:encryption]
(this is analogous to how we try all IDP certs inidp_cert_multi[:signing]
when verifiying the IDP signature.)Extract out
OneLogin::RubySaml::Utils.build_cert_object
andbuild_private_key_object
.Deprecate the
certificate_new
parameter sincesp_cert_multi
fulfills the same role better. It still works but it is removed from the docs.When there are multiple SP certs, the ordering of SP KeyDescriptor node in the SP metadata XML will now be all signing keys first, and then all encryption keys. (Previously it would be signing, encryption, signing, encryption.) This does not affect XML integrity in any way.
This PR contains unit tests and integration tests for all major SP signing flows (both Redirect and POST). Decryption is covered as well.