4 Replies Latest reply on Aug 6, 2010 10:51 AM by Marcel Kolsteren

    Generate SAML2 Metadata File from Filter?

    Marc Boorshtein Newbie

      I've setup the filter as an SP and am trying to integrate it with an OpenSSO IdP.  Is there a way to generate the SAML2 metadata file from the filter?  I saw that the seam module has a way.  Looking at the code it didn't look that complex but is there a standard SAML2 template I could use?

       

      Thnks

      Marc

        • 2. Re: Generate SAML2 Metadata File from Filter?
          Marc Boorshtein Newbie

          is there a sample metadata file for an sp?  Sure, will contribute it back when I can get it working.

           

           

          Marc

          • 3. Re: Generate SAML2 Metadata File from Filter?
            Anil Saldanha Master

            This is what I picked up from the SAML2 metadata spec.

             

             

            <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
               xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
               xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
               entityID="https://ServiceProvider.com/SAML">
               <ds:Signature>...</ds:Signature>
                <SPSSODescriptor AuthnRequestsSigned="true"
                   protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
                    <KeyDescriptor use="signing">
                        <ds:KeyInfo>
                             <ds:KeyName>ServiceProvider.com SSO Key</ds:KeyName>
                        </ds:KeyInfo>
                    </KeyDescriptor>
                    <KeyDescriptor use="encryption">
                        <ds:KeyInfo>
                             <ds:KeyName>ServiceProvider.com Encrypt Key</ds:KeyName>
                        </ds:KeyInfo>
                        <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-
            1_5"/>
                    </KeyDescriptor>
                    <SingleLogoutService
                      Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
                      Location="https://ServiceProvider.com/SAML/SLO/SOAP"/>
                    <SingleLogoutService
                      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                      Location="https://ServiceProvider.com/SAML/SLO/Browser"
                      ResponseLocation="https://ServiceProvider.com/SAML/SLO/Response"/>
                    <NameIDFormat>
                      urn:oasis:names:tc:SAML:2.0:nameid-format:transient
                    </NameIDFormat>
                    <AssertionConsumerService isDefault="true" index="0"
                      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
                      Location="https://ServiceProvider.com/SAML/SSO/Artifact"/>
                    <AssertionConsumerService index="1"
                      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                      Location="https://ServiceProvider.com/SAML/SSO/POST"/>
                    <AttributeConsumingService index="0">
                        <ServiceName xml:lang="en">Academic Journals R US</ServiceName>
                        <RequestedAttribute
                          NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                          Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
                          FriendlyName="eduPersonEntitlement">
                             <saml:AttributeValue>
                              https://ServiceProvider.com/entitlements/123456789
                             </saml:AttributeValue>
                        </RequestedAttribute>
                    </AttributeConsumingService>
                </SPSSODescriptor>
                <Organization>
            <OrganizationName xml:lang="en">Academic Journals RUS</OrganizationName>
            
                         <OrganizationDisplayName xml:lang="en">
                            Academic Journals R US, a Division of Dirk Corp.
            
                         </OrganizationDisplayName>
                         <OrganizationURL
            
                 xml:lang="en">https://ServiceProvider.com</OrganizationURL>
            
                     </Organization>
            
                 </EntityDescriptor>
            

             

            Forgive the formatting.

            • 4. Re: Generate SAML2 Metadata File from Filter?
              Marcel Kolsteren Apprentice

              Another example of SP metadata, generated with the PicketLink Seam module:

               

              <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
              <ns2:EntityDescriptor xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ns3="http://www.w3.org/2001/04/xmlenc#" xmlns:ns4="urn:oasis:names:tc:SAML:2.0:assertion" entityID="http://www.frrry.com/MiEnterprise">
                  <ns2:SPSSODescriptor WantAssertionsSigned="true" AuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
                      <ns2:KeyDescriptor use="signing">
                          <KeyInfo>
                              <X509Data>
                                  <X509Certificate>MIICTzCCAbigAwIBAgIESpkzXzANBgkqhkiG9w0BAQUFADBsMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRAwDgYDVQQDEwdVbmtub3duMB4XDTA5MDgyOTEzNTU0M1oXDTA5MTEyNzEzNTU0M1owbDEQMA4GA1UEBhMHVW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4GA1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjEQMA4GA1UEAxMHVW5rbm93bjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAjgojQu5sR+uOzpMyEcFskVUjtdzLxhLd7Tue56rx0T0GOhwghWywoGu3ZYnIgSTWZhFlciBrtXSO/qSnc56JLruZqJmBfEzEwPqpbBG/0koe07zhMXqtJYKqZZE7rvcZmQ1+elzf0kZSyIvQDoyFHRkSukwCH/rshx4JlilHExECAwEAATANBgkqhkiG9w0BAQUFAAOBgQBf7zW4U5zuzgNcY+54MLf16aBxk9itHVSXdKpJwfT3t01OF6PBVA2xg6XT84sDiw6y+0hwqo/eD42TbY3V3BffSWbwdhJoLGSRZ/XquIrzL9w0kN7jAvczunEZwHoMo0DPjBYKa4Wm4XXUOo1oU66ctfb2RneSCFwQbWfP/Wa15A==</X509Certificate>
                              </X509Data>
                          </KeyInfo>
                      </ns2:KeyDescriptor>
                      <ns2:SingleLogoutService xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns2:IndexedEndpointType" index="0" Location="https://www.frrry.com/MiEnterprise/SingleLogoutService.seam" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
                      <ns2:SingleLogoutService xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns2:IndexedEndpointType" index="0" Location="https://www.frrry.com/MiEnterprise/SingleLogoutService.seam" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
                      <ns2:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</ns2:NameIDFormat>
                      <ns2:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</ns2:NameIDFormat>
                      <ns2:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified</ns2:NameIDFormat>
                      <ns2:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress</ns2:NameIDFormat>
                      <ns2:AssertionConsumerService index="0" Location="https://www.frrry.com/MiEnterprise/AssertionConsumerService.seam" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
                      <ns2:AssertionConsumerService index="0" Location="https://www.frrry.com/MiEnterprise/AssertionConsumerService.seam" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
                  </ns2:SPSSODescriptor>
              </ns2:EntityDescriptor>

               

              I agree that generating the metadata is not hard, especially if you are acquainted with JAXB. The PicketLink project already contains an ObjectFactory for the metadata (generated from the XSD file).