Correct host in generated URLS for IdPs with 'host' config in admin/federation (#1781)

thijskh · web-flow · commit 2a67e9ee2af7 · 2023-03-06T19:45:32.000+01:00
It gets quite fiddly to get this right. The actual metadata (hosted on the `host` itself) is alreafy correct because the URL generator uses the 'current' entity metadata and current URL. The admin interface of course presents all entities in one page and hence cannot rely on the current URL. Therefore we need to override the url host for this specific display case. Closes: #1774
diff --git a/modules/admin/src/Controller/Federation.php b/modules/admin/src/Controller/Federation.php
@@ -198,8 +198,14 @@ private function getHostedIdP(): array
                 $httpUtils = new Utils\HTTP();
                 $metadataBase = Module::getModuleURL('saml/idp/metadata');
                 if (count($idps) > 1) {
+                    $selfHost = $httpUtils->getSelfHost();
                     foreach ($idps as $index => $idp) {
-                        $idp['url'] = $metadataBase . '?idpentityid=' . urlencode($idp['entityid']);
+                        if (isset($idp['host']) && $idp['host'] !== '__DEFAULT__') {
+                            $mdHostBase = str_replace('://' . $selfHost, '://' . $idp['host'], $metadataBase);
+                        } else {
+                            $mdHostBase = $metadataBase;
+                        }
+                        $idp['url'] = $mdHostBase . '?idpentityid=' . urlencode($idp['entityid']);
                         $idp['metadata-set'] = 'saml20-idp-hosted';
                         $idp['metadata-index'] = $index;
                         $idp['metadata_array'] = SAML2_IdP::getHostedMetadata($idp['entityid']);
diff --git a/modules/admin/templates/federation.twig b/modules/admin/templates/federation.twig
@@ -21,7 +21,17 @@
           <dl>
             <dt>{{ set|entityDisplayName }}</dt>
 
-            <dd>EntityID: <code>{{ set.entityid }}</code></dd>
+            <dd>EntityID: <code>{{ set.entityid }}</code>
+            {% if set.type == 'saml20-idp-hosted' and set.host is defined %}
+                (hostname:
+                    {% if set.host == '__DEFAULT__' %}
+                        <em>{{ 'default'|trans }}</em>
+                    {%- else %}
+                        <code>{{ set.host }}</code>
+                    {%- endif -%}
+                )
+            {% endif %}
+            </dd>
             {%- if set.deprecated is defined and set.deprecated %}
 
               <dd><span class="entity-deprecated">{{ 'Deprecated'|trans }}</span></dd>
diff --git a/modules/saml/src/IdP/SAML2.php b/modules/saml/src/IdP/SAML2.php
@@ -762,11 +762,14 @@ public static function getHostedMetadata(string $entityid, MetaDataStorageHandle
         }
         $config = $handler->getMetaDataConfig($entityid, 'saml20-idp-hosted');
 
+        $host = $config->getOptionalString('host', null);
+        $host = $host === '__DEFAULT__' ? null : $host;
+
         // configure endpoints
-        $ssob = $handler->getGenerated('SingleSignOnServiceBinding', 'saml20-idp-hosted');
-        $slob = $handler->getGenerated('SingleLogoutServiceBinding', 'saml20-idp-hosted');
-        $ssol = $handler->getGenerated('SingleSignOnService', 'saml20-idp-hosted');
-        $slol = $handler->getGenerated('SingleLogoutService', 'saml20-idp-hosted');
+        $ssob = $handler->getGenerated('SingleSignOnServiceBinding', 'saml20-idp-hosted', $host);
+        $slob = $handler->getGenerated('SingleLogoutServiceBinding', 'saml20-idp-hosted', $host);
+        $ssol = $handler->getGenerated('SingleSignOnService', 'saml20-idp-hosted', $host);
+        $slol = $handler->getGenerated('SingleLogoutService', 'saml20-idp-hosted', $host);
 
         $sso = [];
         if (is_array($ssob)) {
diff --git a/src/SimpleSAML/Metadata/MetaDataStorageHandler.php b/src/SimpleSAML/Metadata/MetaDataStorageHandler.php
@@ -83,11 +83,12 @@ protected function __construct()
      *
      * @param string $property The metadata property which should be auto-generated.
      * @param string $set The set we the property comes from.
+     * @param string $overrideHost Hostname to use in the URLs
      *
      * @return string|array The auto-generated metadata property.
      * @throws \Exception If the metadata cannot be generated automatically.
      */
-    public function getGenerated(string $property, string $set)
+    public function getGenerated(string $property, string $set, string $overrideHost = null)
     {
         // first we check if the user has overridden this property in the metadata
         try {
@@ -101,9 +102,11 @@ public function getGenerated(string $property, string $set)
 
         // get the configuration
         $config = Configuration::getInstance();
-
         $httpUtils = new Utils\HTTP();
         $baseurl = $httpUtils->getSelfURLHost() . $config->getBasePath();
+        if ($overrideHost !== null) {
+            $baseurl = str_replace('://' . $httpUtils->getSelfHost(), '://' . $overrideHost, $baseurl);
+        }
 
         if ($set == 'saml20-sp-hosted') {
             if ($property === 'SingleLogoutServiceBinding') {
