4 Configuring the .NET Oracle OpenSSO Fedlet

This chapter describes how to configure the .NET Oracle OpenSSO Fedlet (.NET Fedlet) with a service provider (SP) application, so that the application can function with a remote identity provider (IdP) such as an Oracle Identity Federation (OIF) identity provider.

The .NET Oracle OpenSSO Fedlet includes the Fedlet.dll, which supports both identity provider and service provider initiated single sign-on (SSO) with POST and artifact binding. Multiple identity providers and the identity provider discovery service are also supported with single sign-on. In addition, both identity provider and service provider initiated single logout is supported. ASP.NET developers are provided with an API and an example sample application to retrieve an AuthnResponse from the identity provider.

This chapter describes the following tasks for configuring the .NET Oracle OpenSSO Fedlet:

Configuring the .NET Oracle OpenSSO Fedlet
Configuring Oracle Identity Federation as an Identity Provider for the .NET Oracle OpenSSO Fedlet
Deploying the .NET Oracle OpenSSO Fedlet Sample Application
Configuring the .NET Oracle OpenSSO Fedlet with an Existing Application After Single Sign-on
Configuring the .NET Oracle OpenSSO Fedlet for Single Logout
Configuring the .NET Oracle OpenSSO Fedlet for Multiple Identity Providers
Configuring the .NET Oracle OpenSSO Fedlet to Use the Identity Provider Discovery Service
Configuring the .NET Oracle OpenSSO Fedlet for Signing of Requests and Responses
Configuring the .NET Oracle OpenSSO Fedlet for Encryption and Decryption of Requests and Responses

Caution:

When you configure the Oracle OpenSSO Fedlet, you might need to specify certain passwords, depending on the feature you are configuring. For example, for signing and encryption, you must provide passwords for the .keypass and .storepass files.

Although the .NET Oracle OpenSSO Fedlet supports clear-text passwords, it is highly recommended in a production environment that you encrypt these passwords.

4.1 Before You Configure the .NET Oracle OpenSSO Fedlet

Before you configure the .NET Oracle OpenSSO Fedlet, download and unzip the Oracle-OpenSSO-Fedlet.zip file, as described in Chapter 2, "Installing the Oracle OpenSSO Fedlet."

For the supported components for the .NET Fedlet, see Section 1.2, "Oracle OpenSSO Fedlet Supported Standards and Applications."

For general information about the .NET Fedlet, see Chapter 1, "About the Oracle OpenSSO Fedlet."

Note:

The tasks in this chapter include steps that must be performed on the .NET Oracle OpenSSO Fedlet service provider side and the identity provider side. Depending on your deployment, you might be performing all tasks yourself, or you might be required to provide the .NET Fedlet service provider information to an identity provider administrator. Several considerations are:

The .NET Fedlet service provider metadata file is named sp.xml. You or an identity provider administrator must import this file into the identity provider using the appropriate administration console or CLI command.
The .NET Fedlet service provider extended metadata file is named sp-extended.xml. Any changes made in the file must be communicated to the identity provider administrator, so that the appropriate changes can be made to the identity provider.

4.2 Configuring the .NET Oracle OpenSSO Fedlet

The .NET Oracle OpenSSO Fedlet does not include a configuration program. To configure the .NET Fedlet, perform these steps:

If you have not downloaded and unzipped the Oracle-OpenSSO-Fedlet.zip file, see Chapter 2, "Installing the Oracle OpenSSO Fedlet."
Copy the following files from the .NET Fedlet asp.net/conf folder to your application's App_Data folder:
- sp.xml-template
- sp-extended.xml-template
- idp-extended.xml-template
- fedlet.cot-template
Rename the files you copied, dropping -template from each name:
- sp-extended.xml
- sp.xml
- idp-extended.xml
- fedlet.cot

In the files you copied and renamed in the App_Data folder, replace the tags as shown in the next table:

Tag	Replace With
FEDLET_COT	Name of the circle of trust of which the remote identity provider and the local Fedlet service provider application are members.
FEDLET_ENTITY_ID	ID (name) for the .NET Fedlet service provider application. For example: `fedletsp`
FEDLET_DEPLOY_URI	URL of the .NET Fedlet service provider application. For example: `http://fedletsp.example.com/SampleApp`
IDP_ENTITY_ID	Entity ID (name) of the remote identity provider. For example: oifidp

If the .NET Fedlet service provider or identity provider entity ID contains a percent sign (%) or comma (,), escape the character before replacing it in the fedlet.cot file. For example, change “%” to “%25” and “,” to “%2C”.

Get the identity provider metadata XML file and copy the file to the App_Data folder. This file must be named idp.xml.

For an Oracle Identity Federation identity provider, see Section 4.3.1, "Generating the Metadata for an Oracle Identity Federation Identity Provider."
Copy the Fedlet.dll and the Fedlet.dll.config files from the .NET Fedlet asp.net/bin folder to your application's bin folder.
Configure the identity provider for the .NET Fedlet by adding the .NET Fedlet as a trusted service provider and importing the service provider metadata.

To configure an Oracle Identity Federation identity provider, see Section 4.3, "Configuring Oracle Identity Federation as an Identity Provider for the .NET Oracle OpenSSO Fedlet."

Tip:

By deploying the .NET Fedlet artifacts in the application's App_Data and bin folders, you can deploy multiple instances of the .NET Fedlet in the same Internet Information Server (IIS), with each .NET Fedlet instance having its own files.

4.3 Configuring Oracle Identity Federation as an Identity Provider for the .NET Oracle OpenSSO Fedlet

Before you configure an Oracle Identity Federation identity provider, configure the .NET Oracle OpenSSO Fedlet on the service provider side and generate the service provider metadata file (sp.xml), as described in Section 4.2, "Configuring the .NET Oracle OpenSSO Fedlet."

This section includes the following information about configuring Oracle Identity Federation as an identity provider for the .NET Fedlet:

Generating the Metadata for an Oracle Identity Federation Identity Provider
Configuring an Oracle Identity Federation Identity Provider for the .NET Oracle OpenSSO Fedlet

4.3.1 Generating the Metadata for an Oracle Identity Federation Identity Provider

To configure the .NET Fedlet, generate the identity provider XML metadata and save the metadata in a file named idp.xml.

To generate the XML metadata for an Oracle Identity Federation identity provider, follow these steps:

Login to Oracle Fusion Middleware Control as an administrator who has the privileges required to manage the Oracle Identity Federation identity provider server instance you want to configure.
In Fusion Middleware Control, select the Oracle Identity Federation identity provider server instance in the topology panel at left.
Generate the Oracle Identity Federation identity provider XML metadata, either from Oracle Enterprise Manager Fusion Middleware Control or by directly accessing a URL.

To generate the Oracle Identity Federation identity provider metadata from Fusion Middleware Control:
1. Navigate to Oracle Identity Federation, Administration, Security and Trust, and then Provider Metadata.
2. Select Identity Provider as the Provider Type and SAML 2.0 as the Protocol.
3. Click Generate.
Or, to generate the Oracle Identity Federation identity provider metadata, go to a URL of the form:
```
http://host:port/fed/idp/metadata
```
Name the identity provider metadata file idp.xml and copy the file to the .NET Fedlet App_Data folder.

Continue with Section 4.2, "Configuring the .NET Oracle OpenSSO Fedlet."

4.3.2 Configuring an Oracle Identity Federation Identity Provider for the .NET Oracle OpenSSO Fedlet

After you configure the .NET Oracle OpenSSO Fedlet on the service provider side and create the .NET Fedlet service provider metadata file (sp.xml), configure the identity provider by adding the .NET Fedlet as a trusted service provider and importing the metadata file.

To configure Oracle Identity Federation as an identity provider for the .NET Oracle OpenSSO Fedlet, follow these steps:

Login to Oracle Fusion Middleware Control as an administrator who has the privileges required to manage the Oracle Identity Federation identity provider server instance you want to configure.
Add the .NET Fedlet service provider as a trusted provider for the Oracle Identity Federation identity provider:
1. In Fusion Middleware Control, select the Oracle Identity Federation identity provider server instance in the topology panel at left.
2. Navigate to Oracle Identity Federation, Administration, and then Federations.
3. On the Federations page, click Add.
4. The Add Trusted Provider dialog appears. Upload the .NET Fedlet service provider metadata file (sp.xml) from the file system.
5. Click OK.
Configure the new .NET Fedlet trusted provider you added in Step 2:
1. Navigate to Oracle Identity Federation, Administration, and then Federations.
2. On the Federations page, select the .NET Fedlet trusted provider and click Edit.
3. For Oracle Identity Federation Settings, check Enable Attributes in Single Sign-On (SSO).
4. Click Apply.
If you want to use identity provider initiated single sign-on and single logout, change the default NameID format to Transient/One-Time Identifier for the .NET Fedlet service provider:
1. In Fusion Middleware Control, select the Oracle Identity Federation identity provider server instance in the topology panel at left.
2. Navigate to Oracle Identity Federation, Administration, and then Federations.
3. On the Federations page, select the .NET Fedlet trusted provider and click Edit.
4. For Oracle Identity Federation Settings, set Default NameID Format to Transient/One-Time Identifier.
5. Click Apply.

If you make additional configuration changes made to the .NET Oracle OpenSSO Fedlet, such as changes made in the SP extended metadata file (sp-extended.xml), convey these changes to the identity provider administrator, so that the appropriate changes can be made on the identity provider side. If you reconfigure the .NET Fedlet and change the sp.xml file, re-import the revised file into the identity provider.

4.4 Deploying the .NET Oracle OpenSSO Fedlet Sample Application

The .NET Oracle OpenSSO Fedlet sample application is available in the .NET Fedlet asp.net/SampleApp folder after you unzip the Oracle-OpenSSO-Fedlet.zip file. You can use this sample application to test your deployment of the .NET Fedlet for a .NET application.

To deploy the .NET Oracle OpenSSO Fedlet sample application, follow these steps:

If you have not configured the .NET Fedlet, follow the steps in Section 4.2, "Configuring the .NET Oracle OpenSSO Fedlet."
Copy the following edited files to the .NET Fedlet asp.net/SampleApp/App_Data folder:
- idp.xml
- idp-extended.xml
- sp.xml
- sp-extended.xml
- fedlet.cot
Within Internet Information Server, create a virtual directory with the SampleApp folder within the unzipped folder.
- In IIS 6, use Add Virtual Directory. Be sure to have Read and Script permissions set for the application.
- In IIS 7, use Add Application (with no additional options required).

Now, you are ready to run the sample application:

Open the sample application in your browser. For example:
```
http://fedletsp.example.com/SampleApp
```
Click the link to perform the identity provider initiated single sign-on.
Enter your credentials.
After the form submission, you should be at the fedletapplication.aspx page with access to the AuthnResponse information.

4.5 Configuring the .NET Oracle OpenSSO Fedlet with an Existing Application After Single Sign-on

The .NET Oracle OpenSSO Fedlet supports service provider initiated and identity provider initiated single sign-on.

To see how the single sign-on feature works, consider deploying the .NET Fedlet sample application, as described in Section 4.4, "Deploying the .NET Oracle OpenSSO Fedlet Sample Application."

To configure the .NET Oracle OpenSSO Fedlet with an existing application for single sign-on, follow these steps:

If you have not configured the .NET Fedlet, follow the steps in Section 4.2, "Configuring the .NET Oracle OpenSSO Fedlet."
After you configure the .NET Fedlet, copy the following configured files to the respective folders for your application:
- Your application's App_Data folder:
  - sp.xml
  - sp-extended.xml
  - idp.xml (metadata from the identity provider)
  - idp-extended.xml
  - fedlet.cot
- Your application's bin folder:
  - Fedlet.dll
  - Fedlet.dll.config
If you have not imported your application's metadata (sp.xml file) into the identity provider, import this metadata file now.

If you are using an Oracle Identity Federation identity provider, see Section 4.3.2, "Configuring an Oracle Identity Federation Identity Provider for the .NET Oracle OpenSSO Fedlet."
Within your .NET application's public content folder, create a file based on the spinitiatedsso.aspx file in the .NET Fedlet asp.net/SampleApp folder.

The spinitiatedsso.aspx file is used to trigger a service provider initiated single sign-on operation. For a list of supported query parameters, view the contents of this file. The supported query parameters are included as comments at the beginning of the file.

In your application, create the required links, depending on the features you are using. The following example links use http://idp-host.example.com:port/uri as the identity provider URL and http://fedletsp.example.com/MyApp for your application's URL.

Service provider initiated single sign-on using HTTP POST binding:

spinitiatedsso.aspx?idpEntityId=http://idp-host.example.com:port/uri
&;binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

Service provider initiated single sign-on using HTTP artifact binding:

spinitiatedsso.aspx?idpEntityId=http://idp-host.example.com:port/uri
&;binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact

Identity provider initiated single sign-on using HTTP POST binding:

http://idp-host.example.com:port/uri/idpssoinit
?NameIDFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient
&;metaAlias=/idp&;spEntityID=http://fedletsp.example.com/MyApp
&;binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

Identity provider initiated single sign-on using HTTP artifact binding:

http://idp-host.example.com:port/uri/idpssoinit
?NameIDFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient
&;metaAlias=/idp&;spEntityID=http://fedletsp.example.com/MyApp
&;binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact

After your application is successfully authenticated by the identity provider, your browser is redirected to your application's page that processes the SAML 2.0 response.

Your application can then consume the SAML 2.0 response by modifying and using this code:
```
AuthnResponse authnResponse = null; 
try 
{ 
    ServiceProviderUtility spu = new ServiceProviderUtility(Context); 
    authnResponse = spu.GetAuthnResponse(Context);
} 
catch (Saml2Exception se) 
{ 
    // invalid AuthnResponse received 
} 
catch (ServiceProviderUtilityException spue) 
{ 
    // issues with deployment (reading metadata) 
}
```
In the SAML2.0 response, the authnResponse object is populated with the assertion information. Your application can then access the attributes from the response.

If you deployed the sample application, it shows how to retrieve the attributes and subject information from this object.

4.6 Configuring the .NET Oracle OpenSSO Fedlet for Single Logout

Single logout permits the session termination of all participants in a session simultaneously. Any participant in the session can initiate the logout request. The .NET Oracle OpenSSO Fedlet supports both identity provider initiated and service provider initiated single logout.

When using the .NET Fedlet, the session state is maintained by the service provider application and not the .NET Fedlet itself. Therefore, the service provider application performs the session termination and application logout for a user. The .NET Fedlet simply provides the support for the SAML 2.0 single logout communications.

For .NET Fedlet initiated single logout, the .NET Fedlet application logs the user out locally and then invokes the .NET Fedlet for the global logout.

The .NET Fedlet application decides whether to delete a user session before requesting single logout or after a successful single logout response is returned from the identity provider. The .NET Fedlet application also has the responsibility to invoke single logout for each identity provider with which it has successfully completed single sign-on.

To implement single logout, the .NET Fedlet sample application includes the logout.aspx and spinitiatedslo.aspx files in the asp.net/SampleApp folder. To see how the single logout feature works, consider deploying the .NET Fedlet sample application, as described in Section 4.4, "Deploying the .NET Oracle OpenSSO Fedlet Sample Application."

To configure a .NET Oracle OpenSSO Fedlet service provider application for single logout, follow these steps:

If you have not configured the .NET Fedlet, follow the steps in Section 4.2, "Configuring the .NET Oracle OpenSSO Fedlet."
After you configure the .NET Fedlet, copy the following configured files to the respective folders for your application:
- Your application's App_Data folder:
  - sp.xml
  - sp-extended.xml
  - idp.xml (metadata from the identity provider)
  - idp-extended.xml
  - fedlet.cot
- Your application's bin folder:
  - Fedlet.dll
  - Fedlet.dll.config
If you have not imported your application's metadata (sp.xml file) into the identity provider, import this metadata now.

If you are using an Oracle Identity Federation identity provider, see Section 4.3.2, "Configuring an Oracle Identity Federation Identity Provider for the .NET Oracle OpenSSO Fedlet."
Within your .NET application's public content folder, create files based on the logout.aspx and spinitiatedslo.aspx files in the .NET Fedlet asp.net/SampleApp folder.

These files are used by the .NET Fedlet sample application to implement single logout. The logout.aspx file is used for identity provider initiated single logout, and the spinitiatedslo.aspx file is used for service provider initiated single logout. You can use them to develop your .NET Fedlet application.
Make these changes to the configuration files for your application:
- For identity provider initiated single logout: In the sp.xml file, make sure the path to your file based on logout.aspx file points to the correct location of the file for your application.
- For service provider initiated single logout: In the idp.xml file, make sure the path to your file based on spinitiatedslo.aspx file points to the correct location of the file for your application.
If you want the logout request and logout response signed, set the following attributes to true in the sp-extended.xml and idp-extended.xml files:
- wantLogoutRequestSigned
- wantLogoutResponseSigned
Import the .NET Fedlet service provider metadata file (sp.xml) into the identity provider. (If you have already imported the sp.xml file into the identity provider, re-import the updated file.)

For an Oracle Identity Federation identity provider, see Section 4.3.2, "Configuring an Oracle Identity Federation Identity Provider for the .NET Oracle OpenSSO Fedlet."

Also, inform the identity provider administrator that you configured single logout for the .NET Fedlet service provider, so that the administrator can make any required additional changes to the identity provider configuration.

4.7 Configuring the .NET Oracle OpenSSO Fedlet for Multiple Identity Providers

In some deployments, you might want to configure the .NET Oracle OpenSSO Fedlet with multiple identity providers. This section describes how to add one or more additional identity providers such as an Oracle Identity Federation identity provider.

This use case also applies to an existing deployment with the .NET Fedlet installed with Oracle OpenSSO 8.0 Update 1 as the identity provider, and you now want to add Oracle Identity Federation as an additional identity provider. OpenSSO 8.0 Update 1 must be installed and running. For information about OpenSSO Update 1, see the OpenSSO 8.0 Update 1 Release Notes at http://docs.sun.com/doc/821-1818.

To configure the .NET Oracle OpenSSO Fedlet for an additional identity provider such as an Oracle Identity Federation identity provider, follow these steps:

Get the XML metadata file for the additional identity provider.

You can retrieve the Oracle Identity Federation identity provider metadata either from Oracle Enterprise Manager Fusion Middleware Control or by directly accessing a URL.

To retrieve the Oracle Identity Federation identity provider metadata from Fusion Middleware Control:
1. Navigate to Oracle Identity Federation, Administration, Security and Trust, and then Provider Metadata.
2. Select Identity Provider as the Provider Type and SAML 2.0 as the Protocol.
3. Click Generate.
Or, to get the Oracle Identity Federation identity provider metadata, go to a URL of the form:
```
http://host:port/fed/idp/metadata
```
Name the additional identity provider metadata file as idpn.xml, where n is the Oracle Identity Federation identity provider that you are adding. For example, name the second identity provider file as idp2.xml, the third as idp3.xml, and so on. This procedure uses idp2.xml as the file name.
Copy the idp2.xml file from Step 2 to your application's App_Data folder.
Add this new identity provider to the .NET Fedlet circle of trust:

To add the new identity provider to an existing circle of trust:

In the fedlet.cot file in your application's App_Data folder, append the new IDP entity ID (indicated by the entityID attribute in the idp2.xml metadata file) to the value of the sun-fm-trusted-providers attribute, using a comma (,) as a separator.

To add the new identity provider to a new circle of trust:
1. Create a new file named fedlet2.cot in your application's App_Data folder. Use the existing fedlet.cot as a template, but change the value of the cot-name attribute to the name of the new circle of trust (for example, cot2). Include both the new identity provider entity ID and the .NET Fedlet entity ID as value for the sun-fm-trusted-providers attribute, with the two entity IDs separated by a comma (,).
2. In the sp-extended.xml file, add the new circle of trust name to the value of the cotlist attribute. For example, for a circle of trust named cot2:
```
<Attribute name="cotlist">
<Value>saml2cot</Value>
<Value>cot2</Value>
</Attribute>
```
In your application's App_Data folder, create a new idp2-extended.xml file as the extended metadata for the new identity provider. Use the existing idp-extended.xml file as a template, but change the entityID to the new identity provider entity ID. Change the value for the cotlist attribute to the circle of trust name, if a new circle of trust is created for the identity provider.

Note: Make sure that the second identity provider is a remote identity provider by setting the hosted attribute in the EntityConfig element to false.
Restart the Application Pool associated with your Fedlet .NET application.
Import the .NET Fedlet metadata XML file (sp.xml) into the additional identity provider and add the .NET Fedlet service provider to the same circle of trust as the identity provider.

For information about using an Oracle Identity Federation identity provider, see Section 4.3.2, "Configuring an Oracle Identity Federation Identity Provider for the .NET Oracle OpenSSO Fedlet."

Repeat these steps for any additional identity providers you want to add.

4.8 Configuring the .NET Oracle OpenSSO Fedlet to Use the Identity Provider Discovery Service

In this scenario, the .NET Oracle OpenSSO Fedlet is configured with multiple identity providers in a circle of trust and you want to configure the .NET Fedlet to use the identity provider discovery service to determine the preferred identity provider.

The discovery service must be configured for the identity providers you are using with the .NET Fedlet. For information about configuring the identity provider discovery service in Oracle Identity Federation, see the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation.

To configure the .NET Oracle OpenSSO Fedlet to use the identity provider discovery service:

In the .NET Fedlet fedlet.cot file, set the sun-fm-saml2-readerservice-url property to the URL for the SAML 2.0 reader service. For example:
```
sun-fm-saml2-readerservice-url=http://discovery.common.com/opensso/saml2reader
```
Restart the Application Pool associated with your .NET Fedlet application.

4.9 Configuring the .NET Oracle OpenSSO Fedlet for Signing of Requests and Responses

To configure the .NET Oracle OpenSSO Fedlet for signing of requests and responses:

Import your X.509 certificate to the Personal folder within the Local Computer account using the Certificates Snap-in for the Microsoft Management Console. To use this snap-in, see the following article:

http://msdn.microsoft.com/en-us/library/ms788967.aspx
Specify a friendly name for this certificate by viewing the Properties dialog and entering a value. (Save this value for Step 4.)
Set the appropriate permissions to allow read access to the certificate for the user account used by Internet Information Server (IIS) as described at the Microsoft article. For example:
1. In the Certificates Snap-in, navigate to Action, All Tasks, and then Manage Private Keys.
2. Specify Allow Read permissions for the user account running IIS (usually NETWORK SERVICE).
In the .NET Fedlet's extended metadata file (sp-extended.xml), specify the friendly name specified in Step 2 as the value for the signingCertAlias attribute. For example:
```
<Attribute name="signingCertAlias">
<Value>MyFedlet</Value>
```

In the .NET Fedlet's service provider metadata file (sp.xml), add the KeyDescriptor for the signing key.

Use the Certificates Snap-in for the Microsoft Management Console used earlier to export the public key of your certificate in Base64 encoding to be included in the KeyDescriptor XML block.

This KeyDescriptor must be the first child element within the SPSSODescriptor. For example:

<KeyDescriptor use="signing">
              <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                  <ds:X509Certificate>
MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of\+
RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
/FfwWigmrW0Y0Q==
                  </ds:X509Certificate>
                </ds:X509Data>
              </ds:KeyInfo>
</KeyDescriptor>

Restart the Application Pool associated with your .NET application.

4.10 Configuring the .NET Oracle OpenSSO Fedlet for Encryption and Decryption of Requests and Responses

To configure the .NET Oracle OpenSSO Fedlet for encryption and decryption of requests and responses:

Import your X.509 certificate to the Personal folder within the Local Computer account using the Certificates Snap-in for the Microsoft Management Console. To use this snap-in, see the following article:

http://msdn.microsoft.com/en-us/library/ms788967.aspx
Specify a friendly name for this certificate by viewing the Properties dialog and entering a value. (Save this value for Step 4.)
Set the appropriate permissions to allow read access to the certificate for the user account used by Internet Information Server (IIS) as described at the Microsoft article. For example:
1. In the Certificates Snap-in, navigate to Action, All Tasks, and then Manage Private Keys.
2. Specify Allow Read permissions for the user account running IIS (usually NETWORK SERVICE).
In the .NET Fedlet's extended metadata file (sp-extended.xml), specify the friendly name specified in Step 2 as the value for the encryptionCertAlias attribute. For example:
```
<Attribute name="encryptionCertAlias">
<Value>MyFedlet</Value>
```

In the .NET Fedlet's service provider metadata file (sp.xml), add the KeyDescriptor for the encryption key.

Use the Certificates Snap-in for the Microsoft Management Console used earlier to export the public key of your certificate in Base64 encoding to be included in the KeyDescriptor XML block.

This KeyDescriptor must be the first child element within the SPSSODescriptor. For example:

<KeyDescriptor use="encryption">
              <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                  <ds:X509Certificate>
MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of\+
RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
/FfwWigmrW0Y0Q==
                  </ds:X509Certificate>
                </ds:X509Data>
              </ds:KeyInfo>
              <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
                <KeySize xmlns="http://www.w3.org/2001/04/xmlenc#">128</KeySize>
              </EncryptionMethod>
</KeyDescriptor>

Restart the Application Pool associated with your .NET Fedlet application.

To test this configuration, use the sample application. In addition, the following attributes can be changed to encrypt requests and decrypt responses with the identity provider with the appropriate changes to the configured metadata:

Assertion: In the sp-extended.xml metadata file, set the wantAssertionEncrypted attribute to true, to have the .NET Fedlet decrypt the EncryptedAssertion element in incoming responses from the identity provider.
Attribute: In the sp-extended.xml metadata file, set the wantAttributeEncrypted attribute to true to have the .NET Fedlet decrypt the EncryptedAttribute element in incoming responses from the identity provider.
NameID: In the idp-extended.xml metadata file, set the wantNameIDEncrypted attribute to true to have the .NET Fedlet encrypt the NameID element in outgoing requests. Set this same attribute in sp-extended.xml to have the .NET Fedlet decrypt the EncryptedID element in incoming responses from the identity provider.