EntityID are limited to valid URI while external vendors like Okta do not impose this limit

[lems3]

Specifics of your environment

1. Are you acting as SP/IdP/proxy?
   We're using Okta as an IdP
2. SimpleSAMLphp: What version are you using?
   2.0-beta99, but looking at tags for the commit it seems to be available in 2.1 too
3. PHP: What version are you using?
   8.1
4. Platform: unix or Windows?
   Unix
5. Webserver: Apache/Nginx/ISS?
   Apache

Describe the bug
When upgrading our SimpleSAML installation, it stopped working. We got this error :
Noticed exception 'SimpleSAML\Assert\AssertionFailedException' with message ''Drupal - site.example.com' is not a valid RFC3986 compliant URI' in /var/www/html/vendor/simplesamlphp/assert/src/Assert.php:363

Digging into this, this seems to be linked to this change :
#1658

Expected behavior
EntityID didn't had this restriction before, and audiences in Okta don't have this limitation. Adding this new restriction now seems to be an important breaking change, and would lead to us having to reconfigure many elements. My main issue with this is how other SAML integration don,t have this restriction...

Is this behavior really expected from entityID in SAML? Okta's support page reccomend this, but does not seems to discuss any hard restriction over this : https://support.okta.com/help/s/article/What-Is-the-Audience-URI?language=en_US

[tvdijen]

Is this behavior really expected from entityID in SAML?

Yes, it's specified in the SAML2 specifications and also in the SAML2 XSD-schema's.

Screenshot taken from SAML2 metadata specifications
Also see par 8.3.6 of SAML2 core specifications

[lems3]

Is this behavior really expected from entityID in SAML?

Yes, it's specified in the SAML2 specifications and also in the SAML2 XSD-schema's.

Yeah, while digging further into this I realized that it's in the spec now, but clearly a lot of tools were not implementing it properly.

As SimpleSAMLPHP didn't enfore it in 1.x, it could be useful to add a note in the upgrade notes about this.

Would it be accepted to add a parameter to make this check optional, in case an IdP isn't enforcing this on their site? Right now, on our side we're evaluating the impact of reconfiguring a couple of hundreds of Okta apps... While I'll always support properly enforcing standards, in this situation we'd prefer to have a gradual transition. IMO, the parameter should downgrade the error to a warning.

If not, then this issue can be closed, and we'll either make a local patch for now that handles this issue until we've went trough our apps and reconfigured all audiences.

Thanks!

[tvdijen]

I'll discuss it with my fellow devs... I must say I'm not a fan of the idea of downgrading this after more than a year (since 2.0 RC1).. Especially since it's only a one-liner patch for you to work around this.

We are working towards more standards enforcement in our new (future) saml2-library and we've been trying to keep it as strict as possible where we can and be slightly lenient where we foresee issues. To do this, we test with real-life metadata with over 8000 entities from all over the world and none of them failed on the entityID/Issuer/Audience.

[tvdijen]

For now, we're not going to lower our guards. Thanks for raising this issue though!

[lems3]

No problem!

The next person who gets the same issue should find this on Google and see the reccomended approach to use a patch.

Which we did, and it works fine. 😃

Thanks!