Warn the user if they do not also set sign.enabled in metadata file (simplesamlphp#2466)

monkeyiq · tvdijen · monkeyiq · commit cbfdd50babae · 2025-06-16T11:17:05.000+10:00
* Warn the user if they do not also set sign.enabled in metadata file

This block needs to be enabled in the metadata file to have the effect.

* lint

* Update lock-file

---------

Co-authored-by: Tim van Dijen &lt;tvdijen@gmail.com&gt;
diff --git a/docs/simplesamlphp-advancedfeatures.md b/docs/simplesamlphp-advancedfeatures.md
@@ -57,7 +57,9 @@ The default is not to use a proxy ('proxy' = null) and no username and password
 
 ## Metadata signing
 
-SimpleSAMLphp supports signing of the metadata it generates. Metadata signing is configured by four options:
+SimpleSAMLphp supports signing of the metadata it generates.
+
+Metadata signing is configured by four options:
 
 - `metadata.sign.enable`: Whether metadata signing should be enabled or not. Set to `TRUE` to enable metadata signing. Defaults to `FALSE`.
 - `metadata.sign.privatekey`: Location of the private key data which should be used to sign the metadata.
@@ -71,7 +73,13 @@ SimpleSAMLphp supports signing of the metadata it generates. Metadata signing is
   - `http://www.w3.org/2001/04/xmldsig-more#rsa-sha384`
   - `http://www.w3.org/2001/04/xmldsig-more#rsa-sha512`
 
-These options can be configured globally in the `config/config.php`-file, or per SP/IdP by adding them to the hosted metadata for the SP/IdP. The configuration in the metadata for the SP/IdP takes precedence over the global configuration.
+These options can be configured globally in the
+`config/config.php`-file, or per SP/IdP by adding them to the hosted
+metadata for the SP/IdP. The configuration in the metadata for the
+SP/IdP takes precedence over the global configuration. Note that if
+wish to set the metadata.sign.privatekey and metadata.sign.certificate
+in a metadata file you need to also set metadata.sign.enable=true in
+that metadata file.
 
 There is also an additional fallback for the private key and the certificate. If `metadata.sign.privatekey` and `metadata.sign.certificate` isn't configured, SimpleSAMLphp will use the `privatekey`, `privatekey_pass` and `certificate` options in the metadata for the SP/IdP.
 
diff --git a/src/SimpleSAML/Metadata/MetaDataStorageHandler.php b/src/SimpleSAML/Metadata/MetaDataStorageHandler.php
@@ -342,6 +342,20 @@ public function getMetaData(?string $entityId, string $set): array
                     }
                 }
 
+                if (!array_key_exists('metadata.sign.enable', $metadata)) {
+                    // The admin needs to set the .enable setting to make these
+                    // specific keys be used.
+                    if (
+                        array_key_exists('metadata.sign.privatekey', $metadata)
+                        || array_key_exists('metadata.sign.certificate', $metadata)
+                    ) {
+                        Logger::error("SIGNING: Please set metadata.sign.enable=true when"
+                                    . " you wish to specify the privatekey and certificate"
+                                     . " in the metadata file."
+                                    . " See entity $entityId");
+                    }
+                }
+
                 $metadata['metadata-index'] = $entityId;
                 $metadata['metadata-set'] = $set;
                 Assert::keyExists($metadata, 'entityid');
