Any guidance on the best way to deal with cloning production into staging when dealing with a site with a SAML IDP configured.
There seems to be no export option for the encryption keys only the certificate, and the key in the database is encrypted, we don't really want to have our client update the IDP every time we pull production down to stage, and we don't want to break auth in stage either.
Thanks in advance
Hi Niall
I am checking to see if someone from the development team can answer this.
Regards
Hi Niall,
The encryption keys are not stored in the database (mostly because if the database is compromised we wouldn't want the keys to be easily available). The keys are stored in your file system dataroot instead, specifically a file called encryption_keys.json.
As long as the appropriate key is listed there you can decrypt the content in another environment. We strongly recommend you protect this file, and copying it across environments does introduce more exposure risk (especially a testing environment). I don't recommend it, but that's how it works.
For staging + SAML specifically this is how I'd approach it.
Create a new SAML connection in my staging site to my Identity Provider, specifically for staging (and confirm it works).
Save a copy of the IdP details, including the encrypted certificate for in a SQL script.
Restore the database
Have a script run that overrides both the metadata field and certificate field of my SAML instance, pointing it at the staging connection instead.
Alternatively, disable the existing IdP and have a script that inserts the staging-specific IdP
That way staging could connect to my SAML IdP, but it technically uses different certificates from production and I'm not sharing encryption keys across two environments so it's safer. If my staging was compromised, my production's still fine.
There's no specific user-to-SAML-instance link, so staging using a different instance doesn't matter.
oh cool thanks, and yes i wasn't trying to preserve the production certs, but the staging ones to restore post db restoration. i had assumed perhaps wrongly that the keys/certs were in the db and encrypted by the encryption_keys.json.