Yesterday, Henny encountered a quite annoying bug in EngineBlock, which causes certain ACL updates in SR not to be reflected in EngineBlock's internal state. I reproduced it on acc this morning (i.e. with the new EB release). I assume this is an issues in EB, but I'm not 100% sure of that.
The problem is as follows: given an SP that allows access to an IdP, which in turn blocks access to this SP (i.e., the IdP is whitelisted by the SP, but the SP is not whitelisted by the IdP). When the IdP now whitelists the SP, this is not reflected in EngineBlock (as shown by the scoped proxies/idps-metadata for example). Only when the SP makes an unrelated change to its whitelist (e.g., add a different IdP to the whitelist), the data in EngineBlock is updated, and both IdPs appear in the scoped metadata.
I guess this is a bit hard to follow, so to reproduce this on acc:
- take a random SP in the SR on ACC and make sure it is connected to two IdPs that allow access and one IdP that disallows access (see screenshot: the FrKoIdP is the one we're interested in here).
![screen shot 2014-07-22 at 13 19 26](https://cloud.githubusercontent.com/assets/1461740/3657225/0a284c5c-1192-11e4-9abc-19fa5d951179.png)
Flush, and fetch the scoped metadata of the SP:
[bas@miranda]~> curl -s 'https://engine.acc.surfconext.nl/authentication/proxy/idps-metadata?sp-entity-id=https://mfsp.gadgets.surfconext.nl/getdai/' | xpath '//md:EntityDescriptor/@entityID'
Found 3 nodes:
-- NODE --
entityID="https://mfsp.gadgets.surfconext.nl/getdai/"-- NODE --
entityID="http://presentain.com/saml/metadata"-- NODE --
entityID="http://suaas-gw.surfnet.nl/metadata"
This is correct: it shows the EntityDescriptors of the SP and its two accessible IdPs.
- Now add the SP to the IdP whitelist, so we get this configuration (see screenshot):
![screen shot 2014-07-22 at 13 28 32](https://cloud.githubusercontent.com/assets/1461740/3657315/50dd96c4-1193-11e4-9da7-32d3a502ea01.png)
One would now expect the FrKoIdP to appear in the Engineblock metadata for this SP. However, it doesn't, even if the SR entry is saved as a new revision:
[bas@miranda]~> curl -s 'https://engine.acc.surfconext.nl/authentication/proxy/idps-metadata?sp-entity-id=https://mfsp.gadgets.surfconext.nl/getdai/' | xpath '//md:EntityDescriptor/@entityID'
Found 3 nodes:
-- NODE --
entityID="https://mfsp.gadgets.surfconext.nl/getdai/"-- NODE --
entityID="http://presentain.com/saml/metadata"-- NODE --
entityID="http://suaas-gw.surfnet.nl/metadata"
- Now, on the SP side, add a whitelisting for an unrelated IdP (einstein.wind.surfnet.nl in the screenshot), and flush:
![screen shot 2014-07-22 at 13 39 16](https://cloud.githubusercontent.com/assets/1461740/3657447/f94a3910-1194-11e4-9f2d-3d11a88a0862.png)
Now, both IdPs (einstein.wind.surfnet.nl and FrKoIdp) show up in EB:
[bas@miranda]~> curl -s 'https://engine.acc.surfconext.nl/authentication/proxy/idps-metadata?sp-entity-id=https://mfsp.gadgets.surfconext.nl/getdai/' | xpath '//md:EntityDescriptor/@entityID'
Found 5 nodes:
-- NODE --
entityID="https://mfsp.gadgets.surfconext.nl/getdai/"-- NODE --
entityID="https://einstein.wind.surfnet.nl/simplesaml/saml2/idp/metadata.php"-- NODE --
entityID="https://frko.surfnetlabs.nl/simplesamlphp/saml2/idp/metadata.php"-- NODE --
entityID="http://presentain.com/saml/metadata"-- NODE --
entityID="http://suaas-gw.surfnet.nl/metadata"
This might seem like a small issue, but you would be mistaken: by accidentally changing an IdP from "allow all" to allowing a few specific SPs, all SPs connected to this IdP will have to be changed to fix the situation, even if the change at the IdPs side is easily reverted. This can be a lot of work, in particular if this happens with popular IdPs (e.g., the DIY-IdP, as happended yesterday).