Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Windows MSI installer - Choose the DNS name, should mention FQDN

Description

During the Windows Installer it asks two questions on 'Configure Shibboleth' (step 3).

  • "Choose the DNS name for this IdP. It will be used to generate the EntityID, Certificates and Metadata"

  • "Choose the Scope that this IdP will assert"

The first field defaults to the machine hostname, but these together and because that is similar to other installers [where you might enter hostname in one field and domain name in the next] can lead to a common mistake. This ultimately results in the idp-metadata.xml and
certificates being created with just hostname rather than FQDN, and the user has to re-install or recreate the certificates.

The simplest way to deal with this might be to reword the first field just to mention that in most [maybe all?] cases should be the FQDN (Fully Qualified Domain Name). But there could be other options e.g. checking for a FQDN and issuing a warning if it is not one?

Thanks,

  • Jon Agland, UK federation team, Jisc

Environment

None

Activity

Show:

Rod WiddowsonMay 3, 2018 at 2:52 PM

After some discussion with Scott we came to the conclusion that the extra stuff in the dialog was too fraught with issues, not least of which was the perennial issue of code licensing (I do not read the WiX source as a matter of principal).

 

So I have contented myself with

  • A tightening of the verbiage

  • An alignment with -IDP-1123-.

 

Scott CantorApril 30, 2018 at 4:06 PM

I would be concerned about people sticking full hostnames in scopes and causing the same trouble in reverse so if the best we can do is just drop everything through the first period, that's fine.

Jon AglandApril 30, 2018 at 4:04 PM

Thanks, I'm still listening...     Highlighting that it is or should be an FQDN was my main concern e.g. changing the question to something along the line of

"Choose the DNS name (fully qualified domain name) for this IdP. It will be used to generate the EntityID, Certificates and Metadata"

The CommonName and SubjectAltName in the certificate are important to us, and getting those correct on install is preferred (still living with some SAML1 and needing IdPs to have a functioning backchannel)

I agree I think the better solution would be the two stage dialogue taking the FQDN on the first dialogue and then outputting the Domain (aka scope) for the user then to check and adjust on the next dialogue.

 

Rod WiddowsonApril 30, 2018 at 3:39 PM

Well the easiest then id to grab the FQDN and chomp the name out leaving the Domain.  we have VbScript to hand and I can (eventually) learn how to use it.

The best solution is the extra dialog, but that;s a load of extra work.  Not that I mind doing it, but we only have so many hours in each month.

I don't know whether Jon is still listening to this and has anything to add?

Scott CantorApril 30, 2018 at 2:39 PM

Yes, the original complaint was that it was deriving only the hostname portion.

If we wanted to prompt for one thing, we'd need to chop the FQDN and produce the domain from that, which has the usual "count the dots" problems unless we go from the left side and just chop the hostname (which I think is plausible as a default).

Otherwise I think the only fix here is to ask for both with very extensive verbage explaining what they mean and will be used for.

I would probably have a two stage dialog, that collects FQDN (explaining that it's the thing that users will have to access) and then default in a domain name from that which is explained as "the domain of the organization this IdP will be used for".

Fixed

Details

Assignee

Reporter

Components

Fix versions

Created May 19, 2017 at 11:00 AM
Updated June 22, 2021 at 11:05 PM
Resolved May 3, 2018 at 2:52 PM