4 Replies Latest reply on Aug 6, 2010 10:51 AM by marcelkolsteren

    Generate SAML2 Metadata File from Filter?

    bigman921

      I've setup the filter as an SP and am trying to integrate it with an OpenSSO IdP.  Is there a way to generate the SAML2 metadata file from the filter?  I saw that the seam module has a way.  Looking at the code it didn't look that complex but is there a standard SAML2 template I could use?

       

      Thnks

      Marc

        • 1. Re: Generate SAML2 Metadata File from Filter?
          anil.saldhana
          • 2. Re: Generate SAML2 Metadata File from Filter?
            bigman921

            is there a sample metadata file for an sp?  Sure, will contribute it back when I can get it working.

             

             

            Marc

            • 3. Re: Generate SAML2 Metadata File from Filter?
              anil.saldhana

              This is what I picked up from the SAML2 metadata spec.

               

               

              <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
                 xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                 xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                 entityID="https://ServiceProvider.com/SAML">
                 <ds:Signature>...</ds:Signature>
                  <SPSSODescriptor AuthnRequestsSigned="true"
                     protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
                      <KeyDescriptor use="signing">
                          <ds:KeyInfo>
                               <ds:KeyName>ServiceProvider.com SSO Key</ds:KeyName>
                          </ds:KeyInfo>
                      </KeyDescriptor>
                      <KeyDescriptor use="encryption">
                          <ds:KeyInfo>
                               <ds:KeyName>ServiceProvider.com Encrypt Key</ds:KeyName>
                          </ds:KeyInfo>
                          <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-
              1_5"/>
                      </KeyDescriptor>
                      <SingleLogoutService
                        Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
                        Location="https://ServiceProvider.com/SAML/SLO/SOAP"/>
                      <SingleLogoutService
                        Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                        Location="https://ServiceProvider.com/SAML/SLO/Browser"
                        ResponseLocation="https://ServiceProvider.com/SAML/SLO/Response"/>
                      <NameIDFormat>
                        urn:oasis:names:tc:SAML:2.0:nameid-format:transient
                      </NameIDFormat>
                      <AssertionConsumerService isDefault="true" index="0"
                        Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
                        Location="https://ServiceProvider.com/SAML/SSO/Artifact"/>
                      <AssertionConsumerService index="1"
                        Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                        Location="https://ServiceProvider.com/SAML/SSO/POST"/>
                      <AttributeConsumingService index="0">
                          <ServiceName xml:lang="en">Academic Journals R US</ServiceName>
                          <RequestedAttribute
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                            Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
                            FriendlyName="eduPersonEntitlement">
                               <saml:AttributeValue>
                                https://ServiceProvider.com/entitlements/123456789
                               </saml:AttributeValue>
                          </RequestedAttribute>
                      </AttributeConsumingService>
                  </SPSSODescriptor>
                  <Organization>
              <OrganizationName xml:lang="en">Academic Journals RUS</OrganizationName>
              
                           <OrganizationDisplayName xml:lang="en">
                              Academic Journals R US, a Division of Dirk Corp.
              
                           </OrganizationDisplayName>
                           <OrganizationURL
              
                   xml:lang="en">https://ServiceProvider.com</OrganizationURL>
              
                       </Organization>
              
                   </EntityDescriptor>
              

               

              Forgive the formatting.

              • 4. Re: Generate SAML2 Metadata File from Filter?
                marcelkolsteren

                Another example of SP metadata, generated with the PicketLink Seam module:

                 

                <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
                <ns2:EntityDescriptor xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ns3="http://www.w3.org/2001/04/xmlenc#" xmlns:ns4="urn:oasis:names:tc:SAML:2.0:assertion" entityID="http://www.frrry.com/MiEnterprise">
                    <ns2:SPSSODescriptor WantAssertionsSigned="true" AuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
                        <ns2:KeyDescriptor use="signing">
                            <KeyInfo>
                                <X509Data>
                                    <X509Certificate>MIICTzCCAbigAwIBAgIESpkzXzANBgkqhkiG9w0BAQUFADBsMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRAwDgYDVQQDEwdVbmtub3duMB4XDTA5MDgyOTEzNTU0M1oXDTA5MTEyNzEzNTU0M1owbDEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEQMA4GA1UEAxMHVW5rbm93bjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAjgojQu5sR+uOzpMyEcFskVUjtdzLxhLd7Tue56rx0T0GOhwghWywoGu3ZYnIgSTWZhFlciBrtXSO/qSnc56JLruZqJmBfEzEwPqpbBG/0koe07zhMXqtJYKqZZE7rvcZmQ1+elzf0kZSyIvQDoyFHRkSukwCH/rshx4JlilHExECAwEAATANBgkqhkiG9w0BAQUFAAOBgQBf7zW4U5zuzgNcY+54MLf16aBxk9itHVSXdKpJwfT3t01OF6PBVA2xg6XT84sDiw6y+0hwqo/eD42TbY3V3BffSWbwdhJoLGSRZ/XquIrzL9w0kN7jAvczunEZwHoMo0DPjBYKa4Wm4XXUOo1oU66ctfb2RneSCFwQbWfP/Wa15A==</X509Certificate>
                                </X509Data>
                            </KeyInfo>
                        </ns2:KeyDescriptor>
                        <ns2:SingleLogoutService xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns2:IndexedEndpointType" index="0" Location="https://www.frrry.com/MiEnterprise/SingleLogoutService.seam" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
                        <ns2:SingleLogoutService xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns2:IndexedEndpointType" index="0" Location="https://www.frrry.com/MiEnterprise/SingleLogoutService.seam" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
                        <ns2:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</ns2:NameIDFormat>
                        <ns2:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</ns2:NameIDFormat>
                        <ns2:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified</ns2:NameIDFormat>
                        <ns2:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress</ns2:NameIDFormat>
                        <ns2:AssertionConsumerService index="0" Location="https://www.frrry.com/MiEnterprise/AssertionConsumerService.seam" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
                        <ns2:AssertionConsumerService index="0" Location="https://www.frrry.com/MiEnterprise/AssertionConsumerService.seam" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
                    </ns2:SPSSODescriptor>
                </ns2:EntityDescriptor>

                 

                I agree that generating the metadata is not hard, especially if you are acquainted with JAXB. The PicketLink project already contains an ObjectFactory for the metadata (generated from the XSD file).