SAML profiles require that pre-interaction agreements regarding user identifiers, provider (entity) identifiers, binding support, SOAP endpoints, public key information and other similar types of data be made between providers in a circle of trust. This configuration information, or metadata, is defined in an XML file and shared amongst all providers who will participate in the interactions. Application programming interfaces (API) are then used to communicate with the data store; reading, writing, and managing the relevant properties and property values. There are two classifications of metadata:
Standard metadata is defined in the Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0 specification. The specification includes information such as the single sign-on service URL and the assertion consumer service URL and is written so as to be extensible. For more information, see Standard Metadata Properties.
Extended metadata are properties used by the SAML v2 Plug-in for Federation Services proprietary features and include information such as the account mapper implementation class, and the local authentication URL. For more information, see Extended Metadata Properties.
Instructions on how to use to the saml2meta command-line interface to manage metadata is in Managing Metadata using saml2meta. Instructions on how to generate a dual provider metadata configuration file is in Dual Purpose Provider Metadata Files.
Metadata is sometimes referred to as entity descriptor or entity configuration where entity generically refers to the entityID with which each provider is uniquely identified. For more information on the entityID, see Extended Metadata Properties.
Standard metadata properties are defined in the Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0 specification and include information such as the single sign-on service URL and the assertion consumer service URL. During installation, two standard metadata configuration files are created for use as input to the saml2meta utility. They are located in /AccessManager-base/product-directory/saml2/meta or /FederationManager-base/SUNWam/saml2/meta.
idpMeta.xml is the default standard metadata configuration file if your instance of the SAML v2 Plug-in for Federation Services will act as an identity provider.
spMeta.xml is the default standard metadata configuration file if your instance of the SAML v2 Plug-in for Federation Services will act as an service provider.
The following sections define both the identity provider and service provider standard metadata properties that have been implemented in the SAML v2 Plug-in for Federation Services.
A complete listing of all the standard metadata properties can be found in the Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0.
The identity provider standard metadata properties implemented in the SAML v2 Plug-in for Federation Services are defined in the following table.
WantAuthnRequestsSigned |
Takes a value of true or false. If true, all authentication requests received by this identity provider must be signed. |
ArtifactResolutionService |
Defines the endpoint(s) that support the Artifact Resolution profile. |
SingleLogoutService |
Defines the endpoint(s) that support the Single Logout profiles. |
ManageNameIDService |
Defines the endpoint(s) that support the Name Identifier Management profiles. |
NameIDFormat |
Defines the name identifier formats supported by the identity provider. Name identifiers are a way for providers to communicate with each other regarding a user. Single sign-on interactions support two types of identifiers:
More information about name identifiers is in Single Sign-on. |
SingleSignOnService |
Defines the endpoint(s) that support the profiles of the Authentication Request protocol. All identity providers must support at least one such endpoint. |
The service provider standard metadata properties implemented in the SAML v2 Plug-in for Federation Services are defined in the following table.
AuthnRequestsSigned |
Takes a value of true or false. If true, the service provider will sign all outgoing authentication requests. |
WantAssertionsSigned |
Takes a value of true or false. If true, all assertions received by this service provider must be signed. |
SingleLogoutService |
Defines the endpoint(s) that support the Single Logout profiles. |
ManageNameIDService |
Defines the endpoint(s) that support the Name Identifier Management profiles. |
NameIDFormat |
Defines the name identifier formats supported by the service provider. Name identifiers are a way for providers to communicate with each other regarding a user. Single sign-on interactions support two types of identifiers:
More information about name identifiers is in Single Sign-on. |
AssertionConsumerService |
Defines the endpoint(s) that support the profiles of the Authentication Request protocol. All service providers support at least one such endpoint. |
Extended metadata properties are properties used by our proprietary features and include information such as the account mapper implementation class and the local authentication URL. The properties are specific to whether the provider is an identity provider or a service provider. During installation, two extended metadata configuration files are created for use as input to the saml2meta command. They are located in /AccessManager-base/product-directory/saml2/meta or /FederationManager-base/SUNWam/saml2/meta.
idpExtended.xml is the default extended metadata configuration file if your instance of the SAML v2 Plug-in for Federation Services will act as an identity provider.
spExtended.xml is the default extended metadata configuration file if your instance of the SAML v2 Plug-in for Federation Services will act as an service provider.
The following sections define properties in the identity provider and service provider extended metadata.
The identity provider extended metadata properties are defined in the following table.
The service provider extended metadata properties are defined in the following table.
hosted |
Specifies whether the entity is hosted on, or remote to, the server to which this metadata is being applied. A value of 0 or flase specifies that the entity is hosted. A value of 1 or true specifies that the entity is hosted. |
entityID |
Specifies the EntityID of the provider you are configuring. The value of EntityID for your local provider is the unique uniform resource identifier (URI) you decide to use to identity yourself to other providers. You will get a remote provider's EntityID from the metadata they give to you. Note – This EntityID is different from the entities configured using the console in Access Manager and Federation Manager. It is specific to SAML v2 interactions. |
metaAlias |
Specifies a metaAlias for the provider being configured. The metaAlias is used to locate the provider's entity identifier and the organization in which it is located. The value is a string equal to the realm or organization name (dependent on whether the SAML v2 Plug-in for Federation Services is installed in Access Manager or Federation Manager) coupled with a forward slash and the provider name. For example, /suncorp/travelprovider. Caution – The names used in the metaAlias must not contain a /. |
signingCertAlias |
Specifies the provider certificate alias used to find the correct signing certificate in the keystore. |
encryptionCertAlias |
Specifies the provider certificate alias used to find the correct encryption certificate in the keystore. |
basicAuthOn |
Basic authentication can be turned on to protect SOAP endpoints. This property takes a value of true or false. Any provider accessing these endpoints must have the user and password defined in the following two properties: basicAuthUser and basicAuthPassword. |
basicAuthUser |
The user associated with the basic authentication. |
basicAuthPassword |
The password associated with the basic authentication. |
autofedEnabled |
Auto-federation automatically federates a user's disparate provider accounts based on a common attribute. This property takes a value of true or false. |
autofedAttribute |
Specifies the attribute used to match a user's disparate provider accounts when auto-federation is enabled. |
spAccountMapper |
Specifies the implementation of the AccountMapper interface used to map a remote user account to a local user account for purposes of single sign-on. The default value is com.sun.identity.saml2.plugins.DefaultSPAccountMapper, the default implementation. |
spAttributeMapper |
Specifies the implementation of the AttributeMapper interface used to map a remote user account attribute to a local user account attribute for purposes of single sign-on. The default value is com.sun.identity.saml2.plugins.DefaultSPAttributeMapper, the default implementation |
spAuthncontextMapper |
Specifies the implementation of the SPAuthnContextMapper interface used to create the requested authentication context. The default implementation is com.sun.identity.saml2.plugins.DefaultSPAttributeMapper. |
spAuthncontextClassrefMapping |
Sets the provider's desired authentication context class and authentication level. Multiple values can be specified. The value of this property is in the format: authnContextClassRef | authlevel | default For example: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport | 1 or urn:oasis:names:tc:SAML:2.0:ac:classes:Password | 0 | default |
spAuthncontextComparisonType |
Specifies what the resulting authentication context must be when compared to the value of this property. Accepted values include:
The default value is exact. |
attributeMap |
Specifies the mapping of attributes between providers. The value of this attribute is in the format: SAML v2-attribute=user-attribute where SAML v2-attribute is the attribute name that goes over the wire and user-attribute is the attribute name it will map to once it arrives. Note – If auto-federation is enabled, the value of SAML v2-attribute is equal to the value of autofedAttribute. |
saml2AuthModuleName |
Specifies the name of the instance of the SAML v2 authentication module. The default value is SAML2. |
localAuthURL |
Specifies the URL of the local login page. For more information, see Assertion Consumer Page. |
intermediateUrl |
Specifies a URL to which a user can be directed after authentication and before the original request's URL. An example might be a successful account creation page after the auto-creation of a user account. |
defaultRelayState |
After a successful SAML v2 operation (single sign-on, single logout, or federation termination), a page is displayed. This page, generally the originally requested resource, is specified in the initiating request using the RelayState element. If a RelayState is not specified, the value of this defaultRelayState property is displayed. For more information, see Default Display Page. Caution – When RelayState or defaultRelayState contains special characters (such as &), it must be URL-encoded. For example, if the value of RelayState is http://www.sun.com/apps/myapp.jsp?param1=abc¶m2=xyz, it must be URL-encoded as: http%3A%2F%2Fwww.sun.com%2Fapps%2Fmyapp.jsp%3Fparam1%3Dabc%26param2%3Dxyz and then appended to the URL. For example, the service provider initiated single sign-on URL would be: http://host:port/deploy-uri/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=http://www.idp.com&RelayState=http%3A%2F%2Fwww.sun.com%2Fapps%2Fmyapp.jsp%3Fparam1%3Dabc%26param2%3Dxyz |
AssertionTimeSkew |
Assertions are valid for a period of time and not before or after. This property specifies a grace period (in seconds) for the notBefore value. The default value is 300. It has no relevance to the notAfter value. |
wantAttributeEncrypted |
Takes a value of true or false. If true, the identity provider must encrypt all AttributeStatement elements. |
wantAssertionEncrypted |
Takes a value of true or false. If true, the identity provider must encrypt all Assertion elements. |
wantNameIDEncrypted |
Takes a value of true or false. If true, the identity provider must encrypt all NameID elements. |
wantArtifactResponseSigned |
Takes a value of true or false. If true, the identity provider must sign the ArtifactResponse element. |
wantLogoutRequestSigned |
Takes a value of true or false. If true, the identity provider must sign the LogoutRequest element. |
wantLogoutResponseSigned |
Takes a value of true or false. If true, the identity provider must sign the LogoutResponse element. |
wantMNIRequestSigned |
Takes a value of true or false. If true, the identity provider must sign the ManageNameIDResponse element. |
wantMNIResponseSigned |
Takes a value of true or false. If true, the identity provider must sign the ManageNameIDResponse element. |
cotlist |
Specifies the name of the circle of trust to which this provider belongs. |
transientUser |
Specifies the identifier of the user to which all identity provider users will be mapped on the service provider side in cases of single sign-on using the transient name identifier. |
According to the SAML v2 specifications, one metadata file can contain configuration data for one identity provider and one service provider. Thus, it is possible to create one standard metadata configuration file and one extended configuration file which, when imported, will configure one member of a circle of trust to act as both an identity provider and a service provider. Sample files and instructions on how to generate them are found in the following sections.
The dual purpose standard metadata file would contain one <EntityDescriptor> element containing both <IDPSSODescriptor> and <SPSSODescriptor> elements. The following sample is a standard metadata configuration file in which the data configures zosma21.central.sun.com as both a service provider and an identity provider.
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="zosma21.central.sun.com/"> <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://zosma21.central.sun.com:80/amserver/ArtifactResolver/ metaAlias/idp" index="0" isDefault="1"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://zosma21.central.sun.com:80/amserver/IDPSloRedirect/ metaAlias/idp" ResponseLocation="http://zosma21.central.sun.com:80/amserver/ IDPSloRedirect/metaAlias/idp"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://zosma21.central.sun.com:80/amserver/ IDPSloSoap/metaAlias/idp"/> <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://zosma21.central.sun.com:80/amserver/IDPMniRedirect/ metaAlias/idp" ResponseLocation="http://zosma21.central.sun.com:80/amserver/ IDPMniRedirect/metaAlias/idp"/> <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://zosma21.central.sun.com:80/amserver/IDPMniSoap/ metaAlias/idp"/> <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:persistent </NameIDFormat> <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:transient </NameIDFormat> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://zosma21.central.sun.com:80/amserver/SSORedirect/ metaAlias/idp"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://zosma21.central.sun.com:80/amserver/SSOSoap/ metaAlias/idp"/> </IDPSSODescriptor> <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration= "urn:oasis:names:tc:SAML:2.0:protocol"> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://zosma21.central.sun.com:80/amserver/SPSloRedirect/ metaAlias/sp" ResponseLocation="http://zosma21.central.sun.com:80/amserver/ SPSloRedirect/metaAlias/sp"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://zosma21.central.sun.com:80/amserver/SPSloSoap/ metaAlias/sp"/> <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://zosma21.central.sun.com:80/amserver/SPMniRedirect/ metaAlias/sp" ResponseLocation="http://zosma21.central.sun.com:80/amserver/ SPMniRedirect/metaAlias/sp"/> <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="http://zosma21.central.sun.com:80/amserver/SPMniSoap/ metaAlias/sp" ResponseLocation="http://zosma21.central.sun.com:80/amserver/ SPMniSoap/metaAlias/sp"/> <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:persistent </NameIDFormat> <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:transient </NameIDFormat> <AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://zosma21.central.sun.com:80/amserver/Consumer/ metaAlias/sp"/> <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://zosma21.central.sun.com:80/amserver/Consumer/ metaAlias/sp"/> </SPSSODescriptor> </EntityDescriptor>
The dual purpose extended metadata file would contain one <EntityConfig> element containing both <IDPSSOConfig> and <SPSSOConfig> elements. The following sample is an extended metadata configuration file in which the data configures zosma21.central.sun.com as both a service provider and an identity provider.
<EntityConfig xmlns="urn:sun:fm:SAML:2.0:entityconfig" xmlns:fm="urn:sun:fm:SAML:2.0:entityconfig" hosted="1" entityID="zosma21.central.sun.com/"> <IDPSSOConfig metaAlias="/idp"> <Attribute name="signingCertAlias"> <Value></Value> </Attribute> <Attribute name="encryptionCertAlias"> <Value></Value> </Attribute> <Attribute name="basicAuthOn"> <Value>false</Value> </Attribute> <Attribute name="basicAuthUser"> <Value></Value> </Attribute> <Attribute name="basicAuthPassword"> <Value></Value> </Attribute> <Attribute name="autofedEnabled"> <Value>false</Value> </Attribute> <Attribute name="autofedAttribute"> <Value></Value> </Attribute> <Attribute name="assertionEffectiveTime"> <Value>600</Value> </Attribute> <Attribute name="idpAuthncontextMapper"> <Value>com.sun.identity.saml2.plugins.DefaultIDPAuthnContextMapper</Value> </Attribute> <Attribute name="idpAuthncontextClassrefMapping"> <Value>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</Value> </Attribute> <Attribute name="idpAccountMapper"> <Value>com.sun.identity.saml2.plugins.DefaultIDPAccountMapper</Value> </Attribute> <Attribute name="idpAttributeMapper"> <Value>com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper</Value> </Attribute> <Attribute name="attributeMap"> <Value></Value> </Attribute> <Attribute name="wantNameIDEncrypted"> <Value></Value> </Attribute> <Attribute name="wantArtifactResolveSigned"> <Value></Value> </Attribute> <Attribute name="wantLogoutRequestSigned"> <Value></Value> </Attribute> <Attribute name="wantLogoutResponseSigned "> <Value></Value> </Attribute> <Attribute name="wantMNIRequestSigned"> <Value></Value> </Attribute> <Attribute name="wantMNIResponseSigned"> <Value></Value> </Attribute> <Attribute name="cotlist"> </Attribute> </IDPSSOConfig> <SPSSOConfig metaAlias="/sp"> <Attribute name="signingCertAlias"> <Value></Value> </Attribute> <Attribute name="encryptionCertAlias"> <Value></Value> </Attribute> <Attribute name="basicAuthOn"> <Value>false</Value> </Attribute> <Attribute name="basicAuthUser"> <Value></Value> </Attribute> <Attribute name="basicAuthPassword"> <Value></Value> </Attribute> <Attribute name="autofedEnabled"> <Value>false</Value> </Attribute> <Attribute name="autofedAttribute"> <Value></Value> </Attribute> <Attribute name="transientUser"> <Value></Value> </Attribute> <Attribute name="spAccountMapper"> <Value>com.sun.identity.saml2.plugins.DefaultSPAccountMapper</Value> </Attribute> <Attribute name="spAttributeMapper"> <Value>com.sun.identity.saml2.plugins.DefaultSPAttributeMapper</Value> </Attribute> <Attribute name="spAuthncontextMapper"> <Value>com.sun.identity.saml2.plugins.DefaultSPAuthnContextMapper</Value> </Attribute> <Attribute name="spAuthncontextClassrefMapping"> <Value>PasswordProtectedTransport|0|default</Value> </Attribute> <Attribute name="spAuthncontextComparisonType"> <Value>exact</Value> </Attribute> <Attribute name="attributeMap"> <Value></Value> </Attribute> <Attribute name="saml2AuthModuleName"> <Value></Value> </Attribute> <Attribute name="localAuthURL"> <Value></Value> </Attribute> <Attribute name="intermediateUrl"> <Value></Value> </Attribute> <Attribute name="defaultRelayState"> <Value></Value> </Attribute> <Attribute name="assertionTimeSkew"> <Value>300</Value> </Attribute> <Attribute name="wantAttributeEncrypted"> <Value></Value> </Attribute> <Attribute name="wantAssertionEncrypted"> <Value></Value> </Attribute> <Attribute name="wantNameIDEncrypted"> <Value></Value> </Attribute> <Attribute name="wantArtifactResponseSigned"> <Value></Value> </Attribute> <Attribute name="wantLogoutRequestSigned"> <Value></Value> </Attribute> <Attribute name="wantLogoutResponseSigned "> <Value></Value> </Attribute> <Attribute name="wantMNIRequestSigned"> <Value></Value> </Attribute> <Attribute name="wantMNIResponseSigned"> <Value></Value> </Attribute> <Attribute name="cotlist"> </Attribute> </SPSSOConfig> </EntityConfig>
This procedure creates one standard metadata file and one extended metadata file that contains configuration information for one provider that, when imported, will define it as capable of both functions. See The saml2meta Command-line Reference for more information on the saml2meta command line interface.
Generate the dual purpose standard and extended metadata configuration files.
saml2meta [-i staging-directory] template -u amadmin -w password -e dual -s /sp1 -d /idp1 -m dualMeta.xml -x dualExtended.xml
Import the generated standard and extended metadata configuration files.
saml2meta [-i staging-directory] import -u amadmin -w password -m dualMeta.xml -x dualExtended.xml