Update to modern cross-platform IDP image#797
Conversation
LucasPluta
changed the title
There was a problem hiding this comment.
Pull request overview
This PR updates the local-development SAML Identity Provider setup to use an actively maintained, cross-architecture SimpleSAMLphp container, and adjusts local backend configuration so the SAML login flow works reliably (including on arm64 hosts).
Changes:
- Replace the legacy
kristophjunge/test-saml-idpcontainer withcirrusid/simplesamlphpand add the required SimpleSAMLphp config/metadata overrides for local dev. - Update
docker-compose.ymlnetworking/env so the backend talks to Postgres and the IdP over the compose network (and exposes the backend via port mapping instead ofnetwork_mode: host). - Add a
USE_FAKE_LAUNCHPAD_APItoggle path to allow local/test SAML users to authenticate without requiring real Launchpad directory entries.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| REUSE.toml | Adds REUSE annotations for the new SimpleSAMLphp cert/key files. |
| docker-compose.yml | Switches to the new SimpleSAMLphp IdP image and updates backend DB/SAML env + networking. |
| backend/test_observer/controllers/auth/saml.py | Adds a Launchpad API indirection to optionally use a fake implementation for local/dev SAML users. |
| backend/saml/simplesamlphp/saml20-sp-remote.php | Adds SP metadata for SimpleSAMLphp to recognize the backend as the SP. |
| backend/saml/simplesamlphp/saml20-idp-hosted.php | Updates hosted IdP metadata configuration (entity ID and NameID/attribute handling). |
| backend/saml/simplesamlphp/config-override.php | Adds SimpleSAMLphp overrides for HTTP/local-dev operation. |
| backend/saml/simplesamlphp/cert/server.pem | Adds the IdP private key for local SAML signing. |
| backend/saml/simplesamlphp/cert/server.crt | Adds the IdP certificate for local SAML signing. |
| backend/saml/simplesamlphp/apache-http.conf | Overrides Apache vhost so SimpleSAMLphp is reachable over HTTP on :80 for local dev. |
wctaylor
left a comment
wctaylor
left a comment
There was a problem hiding this comment.
This will be a welcome improvement, especially decoupling local logins from Launchpad calls! Just a few comments
LucasPluta
force-pushed
the
testing/update-saml
branch
from
5aa12d9 to
c23dac9
Compare
LucasPluta
force-pushed
the
testing/update-saml
branch
from
156a6de to
b862dfa
Compare
wctaylor
left a comment
wctaylor
left a comment
There was a problem hiding this comment.
Can you update the PR description with additional details about what changed between the previous Docker image and the current one so that we have a clearer idea of why some of these extra simplesamlphp files and the extra IdP rewrite test helper stuff is needed now, when it wasn't needed before?
| # The compose stack runs with USE_LOCAL_LOGIN=true, so the SAML flow | ||
| # skips the Launchpad lookup and no launchpad handle is recorded. | ||
| assert user.launchpad_handle is None |
There was a problem hiding this comment.
I don't really like this helper assuming the value of an environment variable for correctness. I feel like the environment variable should either be used in the check, or there should be an additional use_local_login: bool = False input to the helper, so that it can be called in a way that is less tightly coupled to the environment. I just don't really like the idea of a test suite depending on environment variables.
There was a problem hiding this comment.
Fair point — I was following the README’s suggested test approach using docker exec.
I’ve wrapped the assertion in a check for USE_LOCAL_LOGIN. I don’t currently have an environment where I can test the USE_LOCAL_LOGIN=false path, so I haven’t been able to validate that behavior directly.
LucasPluta
force-pushed
the
testing/update-saml
branch
from
35bd38c to
e8069ed
Compare
| # The compose stack runs with USE_LOCAL_LOGIN=true, so the SAML flow | ||
| # skips the Launchpad lookup and no launchpad handle is recorded. | ||
| if USE_LOCAL_LOGIN: | ||
| assert user.launchpad_handle is None |
Description
Replace the previous SAML IdP container with a cross-architecture, actively maintained SimpleSAMLphp-based setup for local development. The previous image was amd64-only and unmaintained for ~8 years, making it unsuitable for modern dev environments (especially arm64).
Why the rest of the changes?
The two images have very different "convenience" layers. The old image hid a lot of SAML configuration behind environment variables and shipped opinionated defaults; the new image is much closer to a vanilla SimpleSAMLphp install, so the configuration we used to get "for free" now has to be provided explicitly.
Resolved issues
Resolves the inability to run the local SAML IdP on arm64 hosts. The previous
kristophjunge/test-saml-idpimage is amd64-only and unmaintained, which broke the local SAML login flow for developers on arm64 machines.Documentation
No public documentation changes are required. The change only affects local development authentication infrastructure. The new
USE_LOCAL_LOGINflag is wired up indocker-compose.ymlfor local development only.Web service API changes
No new external API endpoints are introduced. This change is limited to local development authentication infrastructure and backend configuration behavior.
Backend authentication behavior changes include:
USE_LOCAL_LOGINenvironment variable to override Launchpad integration for test environments.Tests
USE_LOCAL_LOGIN=truemode.generate-certs.shcorrectly generates certs on first startup and is idempotent (no-op if certs already exist).