SAML2: support service provider certificate overlap rotation#1453
Open
mbardelmeijer wants to merge 2 commits into
Open
SAML2: support service provider certificate overlap rotation#1453mbardelmeijer wants to merge 2 commits into
mbardelmeijer wants to merge 2 commits into
Conversation
Allow optional sp_previous_* credentials so metadata can publish both active and previous signing certificates during a soft-swap, while outbound messages are signed with the active key and encrypted assertions can be decrypted with either key.
Keep the PR limited to Provider logic and README documentation.
Contributor
Author
|
@27pchrisl if you're able to take a look at this, that would be great! 🙏 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why this is needed
When a Laravel application acts as a SAML service provider with signed
AuthnRequestmessages, identity providers must trust the SP's signing certificate ("request signer certificate"). Many IdPs — especially enterprise and government setups — register that certificate once and pin it, rather than continuously refreshing SP metadata.Today this package only supports a single
sp_certificate/sp_private_keypair. Replacing those values is therefore a hard cutover: metadata and outbound signatures switch to the new key immediately, while IdPs that still trust only the old certificate reject login requests until an administrator manually updates their configuration.That is a problem in normal operations, not just at initial setup:
The package already handles the inbound side of this well: when an IdP publishes multiple signing certificates in metadata,
validateSignature()accepts any of them. There is no equivalent for the outbound SP signing certificate, which is what this PR adds.What this changes
Adds optional overlap credentials via three new config keys:
sp_previous_certificatesp_previous_private_keysp_previous_private_key_passphraseDuring a rotation overlap period, operators deploy the new active
sp_*credentials and keep the replaced pair insp_previous_*for a grace window (typically 30–90 days).Metadata publication: SP metadata includes
KeyDescriptorentries for both the active and previous certificates (signing and encryption).Outbound signing:
AuthnRequest,LogoutRequest, andLogoutResponsemessages are signed with the active key only. The entity descriptor signature also uses the active key.Inbound decryption: If assertions are encrypted, decryption is attempted with the active private key first, then the previous private key.
Application API: Adds
getServiceProviderCertificates()so applications can expose all currently published SP certificates (for example on a/certificateendpoint) without parsing metadata XML.credential()is preserved as an alias to the active signing credential, so existing behaviour is unchanged whensp_previous_*is not configured.Recommended rotation workflow
sp_certificate/sp_private_key.sp_previous_*.sp_previous_*.Documentation for this workflow is added to the SAML2 README.