2.0.0: metadata generator on admin/Federation page does not honour the 'host' parameter

[restena-sw]

Describe the bug
The file metadata/saml20-idp-hosted.php can contain more than one entry, and those entries can refer to distinct DNS host names.

Such metadata functions as expected, with SSO and SLO endpoints on the correct hostnames.

However, when generating the metadata on the Federation page, the SSO and SLO endpoints are not generated for the configured hostnames. Instead, the endpoints always have the current vhost (i.e. the one from which the Federation page is opened) as the hostname.

To Reproduce
Steps to reproduce the behavior:

1. Configure saml20-idp-hosted metadata like:

$metadata['https://passwordless.restena.lu/'.'simplesaml_dev/'.'saml2/idp/passwordless.php'] = [
    'host' => 'passwordless.restena.lu',

2. Go to the Federation page of the simpleSAMLphp installation with any of the hostnames and check the generated IdP metadata.

3. A snippet of doing so from the Federation page on clueless.restena.lu yields:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://passwordless.restena.lu/simplesaml_dev/saml2/idp/passwordless.php">
[...]
  <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://clueless.restena.lu/simplesaml_dev/module.php/saml/idp/singleLogout"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://clueless.restena.lu/simplesaml_dev/module.php/saml/idp/singleSignOnService"/>
  </md:IDPSSODescriptor>

Note that the SSO and SLO URLs contain clueless.restena.lu as the hostname, despite the 'host' configuration item.

Expected behavior
SSO and SLO endpoints should start with the configured 'host', not the current serving vhost of the simpleSAMLphp page. In the example above:

Location="https://passwordless.restena.lu/simplesaml_dev/module.php/saml/idp/singleLogout"/>
Location="https://passwordless.restena.lu/simplesaml_dev/module.php/saml/idp/singleSignOnService"/>

Screenshots or logs
N/A

Additional context
simpleSAMLphp 2.0.0

[thijskh]

This was not so easy because the generated metadata urls for those entities normally depend on the host itself, i.e., they are correct if you access the actual individual metadata. However in the federation admin screen they are all shown on one page. I've proposed a solution that overrides this specifically for the admin module case in #1781.

I wonder/doubt this worked in 1.19 and earlier.

It does suggest that having a better "multiple idp's" other than hostname detection feature would be nice.

[restena-sw]

I just tried this in 2.0.2 and the issue does not seem to be fully fixed. See here, from the federation page:

$metadata['https://passwordless.restena.lu/simplesaml_dev/saml2/idp/passwordless.php'] = [
    'metadata-set' => 'saml20-idp-hosted',
    'entityid' => 'https://passwordless.restena.lu/simplesaml_dev/saml2/idp/passwordless.php',
    'SingleSignOnService' => [
        [
            'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
            'Location' => 'https://clueless.restena.lu/simplesaml_dev/module.php/saml/idp/singleSignOnService',
        ],
    ],
    'SingleLogoutService' => [
        [
            'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
            'Location' => 'https://clueless.restena.lu/simplesaml_dev/module.php/saml/idp/singleLogout',
        ],

While the entityId itself has the correct hostname, the service locations still have the incorrect "current host" inside, rather than the configured one.

[thijskh]

I don't think this fix ended up in a release just yet.

[tvdijen]

Was this supposed to be backported to the 2.0 branch?
I just cherry-picked it and added it to the 2.0.3 release (No release date set yet).