Optimize the default entityID at install time
Description
Environment
is related to
Activity
Rod WiddowsonMay 3, 2018 at 2:07 PM
After some discussion with Scott we came to the conclusion that the extra stuff in the dialog was too fraught with issues, not least of which was the perennial issue of code licensing (I do not read the WiX source as a matter of principal).
So I have contented myself with
A tightening of the verbiage
An alignment with IDP-1123.
Rod WiddowsonApril 30, 2018 at 9:49 AM
Summary
So this is confusing. But I think we can simplify.
On WindowsMSI you have two inputs FQDN and Scope. These are captured from the user
On Unix there are two implied input ${NAME} and ${DOMAIN}
These are the source of the following
EntityID
The scope for metadata and the IdP
Subject URI name for certificate
CN for certificates
The URLs in the generated metadata.
As simplification (it's not done this way but the result is the same) that
On Unix "hostname" is set up as ${NAME}.${DOMAIN}
On Unix "scope" is set up as ${DOMAIN}, (on windows it is capured)
On Windows "hostname" is set up as ${FQDN}
On Unix the values below are prompted defaults, on windows they are hardwired
EntityID is set to
Scope is in the IdP and metadata from ${scope}
CN is set from ${hostname}
Subject URL AltName is set to ${EntityID}
Metadata URLS are generated based on ${Hostname} (
and so on)
Proposal
The parameters to the build (whibh include the property names) do not change. That would be a API change
Unix (Windows non MSI)
EntityID defaults to "https://${DOMAIN}/idp" – a change
Subject URI name defaults to entityID. – a change (because entity ID changes)
Scope defaults to ${DOMAIN} – no change
CN defaults to ${NAME}.${DOMAIN} – no change
Metadata URLs default to being based on ${NAME}.${DOMAIN} – no change
This is
Windows MSI
Only one value is captured.
It is labeled on the GUI as FQDN
EntityID is set to *"https://$\{FQDN}/idp"
Subject URI name defaults to entityID.
Scope us set to ${FQDN} no change
CN is defaults to ${FQDN}
Metadata URLs default to being based on ${FQDN}
The really visible change is the generated entityID and the dialog to capture FQDN
We retain compatibility with existing property names (IDP_SCOPE and DNSNAME)
This is
Rod WiddowsonMarch 28, 2018 at 11:45 AM
I think that this is relatively easy for windows - once one accepts that $(DOMAIN) is pretty untrustworthy. But that's fine, someone running the install script from the command line is not liable to be a neophyte.
The heavy lifting will probably come inside (which is definitely relevant so thanks to for nudging that one) and the moveable elements are
The host name (used as above, but also as the CN and to default the URI in cert generation
entityID}} (current set by the msi installer as {{https://" & IdpHostName & "/idp/shibboleth"idp.uri.subject.alt.name(defaulthttps://" & IdpHostName & "/idp/shibboleth")
Scott CantorMarch 28, 2018 at 12:34 AM
I'm in favor. I'd do it but I assume the Windows installer might also need adjusting.
Rod WiddowsonFebruary 20, 2017 at 3:10 PM
Should be pretty easy. Scott, any other thoughts?
At the time of installation, the IdP entityID defaults to a URI given by this line of code in build.xml:
where
idp.host.nameis given by:That particular default entityID is suboptimal for at least two reasons:
Since the entityID is a name, not a location, the host part of the entityID need not be the same as the host part of the endpoint locations
The string "shibboleth" is a type of "vendor lock-in"
Once defined, an entityID should NEVER change. Changing an entityID is essentially starting from scratch. In that sense, the entityID is permanent and so it's value must be chosen with great care.
I don't want to be prescriptive but the following default entityID is preferable to the one above:
That is a much better entityID since it only depends on the domain, which rarely changes.