SAML2 Metadata support with JBoss Identity

Version 2

    JBoss Identity  supports SAML2 Metadata profile.

     

    Configure the metadata profile at the IDP

     

    Create a web application for the IDP metadata.  In the web.xml, the following should be present:

    <?xml version="1.0" encoding="ISO-8859-1"?>
    <web-app xmlns="http://java.sun.com/xml/ns/javaee"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
       version="2.5">
    
      <display-name>IDP Metadata</display-name>
      <description>
        Metadata for the IDP
      </description>
    
      <servlet>
        <servlet-name>metadata</servlet-name>
        <servlet-class>org.jboss.identity.federation.bindings.servlets.MetadataServlet</servlet-class>
      </servlet>
    
      <servlet-mapping>
        <servlet-name>metadata</servlet-name>
        <url-pattern>/</url-pattern>
      </servlet-mapping>
    
    </web-app>
    

     

    In the WEB-INF folder, you will need a jboss-idfed.xml with

    <JBossIDP xmlns="urn:jboss:identity-federation:config:1.0" 
              AssertionValidity="20000"
              RoleGenerator="somefqn"
              Encrypt="true">
     <IdentityURL>http://localhost:8080/idp</IdentityURL>
     <Trust>
       <Domains>localhost,jboss.com,jboss.org</Domains>
     </Trust>
     <KeyProvider ClassName="org.jboss.identity.federation.bindings.tomcat.KeyStoreKeyManager">
        <Auth Key="KeyStoreURL" Value="jbid_test_keystore.jks" />
        <Auth Key="KeyStorePass" Value="store123" />
        <Auth Key="SigningKeyPass" Value="test123" />
        <Auth Key="SigningKeyAlias" Value="servercert" />
        <SigningAlias>servercert</SigningAlias>
        <ValidatingAlias Key="localhost" Value="servercert"/>
        <ValidatingAlias Key="127.0.0.1" Value="servercert"/>
     </KeyProvider>
    
     <MetaDataProvider ClassName="org.jboss.identity.federation.bindings.providers.FileBasedEntityMetadataProvider">
      <Option Key="FileName" Value="WEB-INF/idp-metadata.xml"/>
     </MetaDataProvider>  
    </JBossIDP>
    

    Both the Trust and KeyProvider elements are optional.

     

    You will need the MetaDataProvider element.

     

    You will need to provide the entire metadata xml in idp-metadata.xml in the WEB-INF folder of your web  app.

     

    An example:

    <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    entityID="https://IdentityProvider.com/SAML"> 
    <IDPSSODescriptor WantAuthnRequestsSigned="true"
    protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> 
    
    <ArtifactResolutionService isDefault="true" index="0"
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
    Location="https://IdentityProvider.com/SAML/Artifact"/>
    <SingleLogoutService
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
    Location="https://IdentityProvider.com/SAML/SLO/SOAP"/>
    <SingleLogoutService
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
    Location="https://IdentityProvider.com/SAML/SLO/Browser"
    ResponseLocation="https://IdentityProvider.com/SAML/SLO/Response"/> 
    <NameIDFormat>
    urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
    </NameIDFormat>
    <NameIDFormat>
    urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
    </NameIDFormat>
    <NameIDFormat>
    urn:oasis:names:tc:SAML:2.0:nameid-format:transient
    </NameIDFormat>
    <SingleSignOnService
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
    Location="https://IdentityProvider.com/SAML/SSO/Browser"/>
    <SingleSignOnService
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    Location="https://IdentityProvider.com/SAML/SSO/Browser"/>
    <saml:Attribute
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
    Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
    FriendlyName="eduPersonPrincipalName">
    </saml:Attribute>
    <saml:Attribute
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
    Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
    FriendlyName="eduPersonAffiliation">
    <saml:AttributeValue>member</saml:AttributeValue>
    <saml:AttributeValue>student</saml:AttributeValue>
    <saml:AttributeValue>faculty</saml:AttributeValue>
    <saml:AttributeValue>employee</saml:AttributeValue>
    <saml:AttributeValue>staff</saml:AttributeValue>
    </saml:Attribute>
    </IDPSSODescriptor>
    </EntityDescriptor>
    

     

     

    Configuring the SP for metadata

    It is similar to the IDP configuration.  You will need to maybe create a sp-metadata.xml and appropriately configure the jboss-idfed.xml

     

    General Notes

    1. The implementation is a servlet that serves standard metadata (that does not change often)
    2. By default, the metadata provider is a file based provider that just serves a standard file that you have created (idp-metadata.xml or sp-metadata.xml).  The name of the file can be anything as long as the jboss-idfed.xml is updated.