SAML2 Metadata Validation without Internet Connectivity

By: Kee Wee Wong Account Admin 10 Feb 2020 at 9:51 p.m. CST

12 Responses
Kee Wee Wong gravatar
Hi Support, We have an air-gapped Gluu SSO installation without any internet connectivity. As such, when we import the SP Metadata into Gluu Trust Relationship, we are unable to validate the trust relationship with the error (see attached screenshot for more details)**.**: > schema_reference.4: Failed to read schema document 'http://www.w3.org/TR... > Warning: cannot validate metadata. Check internet connetion and www.w3.org avaliability. Is possible to manually import the schema documents such that the Gluu SSO server need not contact the internet to validate the schema? Thank you!
Gluu 4.0 Rhel 7.7
closed

Answers

By Mohib Zico staff 10 Feb 2020 at 10:07 p.m. CST

Copy
Mohib Zico gravatar
@Thomas Gasmyr.Mougang: is this possible?

By Kee Wee Wong Account Admin 12 Feb 2020 at 9:33 p.m. CST

Copy
Kee Wee Wong gravatar
Hi support, Any updates on this?

By Mohib Zico staff 12 Feb 2020 at 10:06 p.m. CST

Copy
Mohib Zico gravatar
Kee Wee, I was doing some brain storming on this as well and I _think_ most probably you won't be able to use SAML protocol without internet. I believe I am 50% correct but I'll talk to Mike on that. [ Please correct me if you believe otherwise ] Reassigning ticket to me for now.

By Kee Wee Wong Account Admin 13 Feb 2020 at 8:50 p.m. CST

Copy
Kee Wee Wong gravatar
Hi Mohib, How is the discussion going with the team? It seems like the schema document hasn't been updated since 2002. Possible to "pre-load" the document?

By Mohib Zico staff 13 Feb 2020 at 10:24 p.m. CST

Copy
Mohib Zico gravatar
Hello Kee Wee, Sorry, couldn't discuss last night... had to engage some serious prod related tickets. I'll discuss today.

By Michael Schwartz Account Admin 14 Feb 2020 at 1:07 p.m. CST

Copy
Michael Schwartz gravatar
Is this an actual customer requirement? Because SAML renders the login page to the browser--connected on the Internet. So if you could describe why this customer has a non-Internet conneted SAML IDP, that would be helpful.

By Kee Wee Wong Account Admin 17 Feb 2020 at 6:59 a.m. CST

Copy
Kee Wee Wong gravatar
Hi Mike, Yes, this is an actual requirement. Currently the entire intranet is air-gapped, with no internet access at all from both the user and server.

By Mohib Zico staff 17 Feb 2020 at 7:42 a.m. CST

Copy
Mohib Zico gravatar
Hello Kee Wee, I created a github issue to cover such scenario: https://github.com/GluuFederation/community-edition-setup/issues/642

By Michael Schwartz Account Admin 17 Feb 2020 at 3:52 p.m. CST

Copy
Michael Schwartz gravatar
What if you updated the hosts file to point this at a local web server?

By Kee Wee Wong Account Admin 18 Feb 2020 at 12:11 a.m. CST

Copy
Kee Wee Wong gravatar
Hi Mike, So we host the schema document locally and point the www.w3.org to the local server?

By Michael Schwartz Account Admin 18 Feb 2020 at 2:43 a.m. CST

Copy
Michael Schwartz gravatar
I think i would work. How often does the w3.org schema change at this point?

By Mohib Zico staff 21 Feb 2020 at 9:15 a.m. CST

Copy
Mohib Zico gravatar
Thanks for your help so far! I think we can track the github issue and if required can reopen this ticket.

Post an answer