You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
With iomad using SAML2-SSO from two different Microsoft enterprise applications, it is not possible to have more than one working configuration.
If you have two configurations with two different IdP entities, only the last one saved works.
The following error message is displayed:
The text was updated successfully, but these errors were encountered:
As this is a critical issue for us, I have investigated it further and would like to share my observations.
As my colleague described in the last comment, only the last saved SAML2 SSO configuration works.
Create SAML2 configuration for tenant A and test -> works fine
Create and test SAML2 configuration for tenant B -> works fine
test SAML2 for Tenant A -> it fails, giving the error in the comment above
save the SAML2 configuration of tenant A again without changing anything, test it -> now it works fine again
test SAML2 for tenant B -> does not work anymore, gives the error in the comment above
In dataroot/iomadsaml2 three files are created when you configure a SAML2 connection. A pem and a cert file, which appear to be static. And an idp.xml file which contains the SAML2 metadata of the last saved SAML2 configuration. Only the SAML2 IDP whose configuration is available in this idp.xml file will work. The other IDPs don't work.
It looks like the part of the code that handles the idp.xml file is missing multi-tenant support. Or are we missing some important configuration parameter?
Some more details: This error happens only when in the field "IdP metadata xml OR public xml URL" the metadata xml information is entered. It does not happen when the URL is entered.
The reason for this bug is, that the filename of the idp.xml file in "dataroot/iomadsaml2/" is defined by (config.php, line 33 and maybe other places):
$metadataurlhash = md5($idpentity->metadataurl);
If no URL is given but xml data instead, the system seems to take a default value which is the same for all tenants, which breaks the multi-tenancy functionality.
With iomad using SAML2-SSO from two different Microsoft enterprise applications, it is not possible to have more than one working configuration.
If you have two configurations with two different IdP entities, only the last one saved works.
The following error message is displayed:
The text was updated successfully, but these errors were encountered: