SAML2-SSO only one identity provider is accepted #1959
Comments
|
As this is a critical issue for us, I have investigated it further and would like to share my observations. As my colleague described in the last comment, only the last saved SAML2 SSO configuration works.
In dataroot/iomadsaml2 three files are created when you configure a SAML2 connection. A pem and a cert file, which appear to be static. And an idp.xml file which contains the SAML2 metadata of the last saved SAML2 configuration. Only the SAML2 IDP whose configuration is available in this idp.xml file will work. The other IDPs don't work. It looks like the part of the code that handles the idp.xml file is missing multi-tenant support. Or are we missing some important configuration parameter? Any help on this would be greatly appreciated. |
|
Some more details: This error happens only when in the field "IdP metadata xml OR public xml URL" the metadata xml information is entered. It does not happen when the URL is entered. The reason for this bug is, that the filename of the idp.xml file in "dataroot/iomadsaml2/" is defined by (config.php, line 33 and maybe other places): $metadataurlhash = md5($idpentity->metadataurl); If no URL is given but xml data instead, the system seems to take a default value which is the same for all tenants, which breaks the multi-tenancy functionality. |
With iomad using SAML2-SSO from two different Microsoft enterprise applications, it is not possible to have more than one working configuration.
If you have two configurations with two different IdP entities, only the last one saved works.
The following error message is displayed:
The text was updated successfully, but these errors were encountered: