7.2 Configuring the SAMLv2 Service Provider Metadata
Federation Manager provides two metadata templates you can customize to meet your needs. For examples of customized metadata templates, see 7.2.1 Sample Metadata Template Files at the end of this section.
Note –
When you customize the metadata XML files, you must enter the entityID attribute using lowercase letters. For example, for the host LoadBalancer-9.siroe.com, enter the entityIDas loadbalancer-9.siroe.com. The entityID will not be recognized if you use mixed case letters.
To Generate and Customize the Service
Provider Template Files
-
Log in as a root user to the host FederationManager–1.
-
Go to the following directory:
/opt/SUNWam/saml2/bin
-
Generate the SAMLv2 template files.
# ./saml2meta -i /var/opt/SUNWam/fm/war_staging template -u amadmin -w 11111111 -e loadbalancer-9.siroe.com -s /sp -a LoadBalancer-9 -f LoadBalancer-9-enc -m /etc/opt/SUNWam/config/saml2-sp-template.xml -x /etc/opt/SUNWam/config/saml2-sp-extented-template.xml
The saml2-sp-extended-template.xmlis similar to the standard saml2-sp-template.xml file. However, the extended file contains data about the SAMLv2 plug-in that is specific to Federation Manager.
-
Customize the saml2–sp-template.xml file.
When the file is first generated, default values are automatically generated and placed in the file. You must manually change these values to match the actual deployment environment. In this deployment example, a load balancer with SSL termination is being used. So you must modify the file to use the HTTPS protocol and the load balancer service URL.
# vi /etc/opt/SUNWam/config/saml2-sp-template.xml
-
In each Location URL and each ResponseLocation URL, change the protocol http to https.
Search for each occurrence of Location and ResponseLocation to be sure you have changed each URL.
-
Globally change all occurrences of FederationManager-1 to loadbalancer-9.
-
Globally change all occurrences of 8080 to 3443.
Save the file.
-
-
Customize the saml2-sp-extended-template.xml file.
# vi /etc/opt/SUNWam/config/saml2-sp-extended-template.xml
-
Modify the following attribute-pair values to enable XML signing.
<Attribute name="wantArtifactResponseSigned"> <Value>true</Value> <Attribute name="wantLogoutRequestSigned"> <Value>true</Value> <Attribute name="wantLogoutResponseSigned"> <Value>true</Value> <Attribute name="wantMNIRequestSigned"> <Value>true</Value> <Attribute name="wantMNIResponseSigned"> <Value>true</Value> <Attribute name="cotlist"> <Value>saml2_circle_of_trust</Value>
-
-
Load the metadata.
7.2.1 Sample Metadata Template Files
In the following examples, changes to the file are indicated in bold.
Note –
When you customize the metadata XML files, you must enter the entityID attribute using lowercase letters. For example, for the host LoadBalancer-9.siroe.com, enter the entityIDas loadbalancer-9.siroe.com. The entityID will not be recognized if you use mixed case letters.
Example 7–1 Modified saml2-sp-template.xml File
<EntityDescriptor
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="loadbalancer-9.siroe.com">
<SPSSODescriptor
AuthnRequestsSigned="false"
WantAssertionsSigned="false"
protocolSupportEnumeration=
"urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>
MIICYDCCAgqgAwIBAgICBoowDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz
dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh
dGUgTWFuYWdlcjAeFw0wNjExMDIxOTExMzRaFw0xMDA3MjkxOTExMzRaMDcxEjAQBgNVBAoTCXNp
cm9lLmNvbTEhMB8GA1UEAxMYbG9hZGJhbGFuY2VyLTkuc2lyb2UuY29tMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQCjOwa5qoaUuVnknqf5pdgAJSEoWlvx/jnUYbkSDpXLzraEiy2UhvwpoBgB
EeTSUaPPBvboCItchakPI6Z/aFdH3Wmjuij9XD8r1C+q//7sUO0IGn0ORycddHhoo0aSdnnxGf9V
tREaqKm9dJ7Yn7kQHjo2eryMgYxtr/Z5Il5F+wIDAQABo2AwXjARBglghkgBhvhCAQEEBAMCBkAw
DgYDVR0PAQH/BAQDAgTwMB8GA1UdIwQYMBaAFDugITflTCfsWyNLTXDl7cMDUKuuMBgGA1UdEQQR
MA+BDW1hbGxhQHN1bi5jb20wDQYJKoZIhvcNAQEEBQADQQB/6DOB6sRqCZu2OenM9eQR0gube85e
nTTxU4a7x1naFxzYXK1iQ1vMARKMjDb19QEJIEJKZlDK4uS7yMlf1nFS
</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>
MIICTDCCAfagAwIBAgICBo8wDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz
dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh
dGUgTWFuYWdlcjAeFw0wNjExMDcyMzU2MTdaFw0xMDA4MDMyMzU2MTdaMCMxITAfBgNVBAMTGGxv
YWRiYWxhbmNlci05LnNpcm9lLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAw574iRU6
HsSO4LXW/OGTXyfsbGv6XRVOoy3v+J1pZ51KKejcDjDJXNkKGn3/356AwIaqbcymWd59T0zSqYfR
Hn+45uyjYxRBmVJseLpVnOXLub9jsjULfGx0yjH4w+KsZSZCXatoCHbj/RJtkzuZY6V9to/hkH3S
InQB4a3UAgMCAwEAAaNgMF4wEQYJYIZIAYb4QgEBBAQDAgZAMA4GA1UdDwEB/wQEAwIE8DAfBgNV
HSMEGDAWgBQ7oCE35Uwn7FsjS01w5e3DA1CrrjAYBgNVHREEETAPgQ1tYWxsYUBzdW4uY29tMA0G
CSqGSIb3DQEBBAUAA0EAMlbfBg/ff0Xkv4DOR5LEqmfTZKqgdlD81cXynfzlF7XfnOqI6hPIA90I
x5Ql0ejivIJAYcMGUyA+/YwJg2FGoA==
</X509Certificate>
</X509Data>
</KeyInfo>
<EncryptionMethod Algorithm=
"https://www.w3.org/2001/04/xmlenc#aes128-cbc">
<KeySize xmlns="https://www.w3.org/2001/04/xmlenc#">128</KeySize>
</EncryptionMethod>
</KeyDescriptor>
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://LoadBalancer-9.siroe.com:3443/federation/
SPSloRedirect/metaAlias/sp"
ResponseLocation="https://LoadBalancer-9.siroe.com:3443/
federation/SPSloRedirect/metaAlias/sp"/>
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://LoadBalancer-9.siroe.com:3443/
federation/SPSloSoap/metaAlias/sp"/>
<ManageNameIDService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://LoadBalancer-9.siroe.com:3443/federation/
SPMniRedirect/metaAlias/sp"
ResponseLocation="https://LoadBalancer-9.siroe.com:3443/
federation/SPMniRedirect/metaAlias/sp"/>
<ManageNameIDService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://LoadBalancer-9.siroe.com:3443/
federation/SPMniSoap/metaAlias/sp"
ResponseLocation="https://LoadBalancer-9.siroe.com:3443/
federation/SPMniSoap/metaAlias/sp"/>
<NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
</NameIDFormat>
<NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</NameIDFormat>
<AssertionConsumerService
isDefault="true"
index="0"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="https://LoadBalancer-9.siroe.com:3443/
federation/Consumer/metaAlias/sp"/>
<AssertionConsumerService
index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://LoadBalancer-9.siroe.com:3443/
federation/Consumer/metaAlias/sp"/>
</SPSSODescriptor>
</EntityDescriptor>
|
Example 7–2 Modified saml2-sp-metadata-template.xml File
<EntityConfig xmlns="urn:sun:fm:SAML:2.0:entityconfig"
xmlns:fm="urn:sun:fm:SAML:2.0:entityconfig"
hosted="1"
entityID="loadbalancer-9.siroe.com">
<SPSSOConfig metaAlias="/sp">
<Attribute name="signingCertAlias">
<Value>LoadBalancer-9</Value>
</Attribute>
<Attribute name="encryptionCertAlias">
<Value>LoadBalancer-9-enc</Value>
</Attribute>
<Attribute name="basicAuthOn">
<Value>false</Value>
</Attribute>
<Attribute name="basicAuthUser">
<Value></Value>
</Attribute>
<Attribute name="basicAuthPassword">
<Value></Value>
</Attribute>
<Attribute name="autofedEnabled">
<Value>false</Value>
</Attribute>
<Attribute name="autofedAttribute">
<Value></Value>
</Attribute>
<Attribute name="transientUser">
<Value></Value>
</Attribute>
<Attribute name="spAccountMapper">
<Value>com.sun.identity.saml2.plugins.DefaultSPAccountMapper</Value>
</Attribute>
<Attribute name="spAttributeMapper">
<Value>com.sun.identity.saml2.plugins.DefaultSPAttributeMapper</Value>
</Attribute>
<Attribute name="spAuthncontextMapper">
<Value>com.sun.identity.saml2.plugins.DefaultSPAuthnContextMapper</Value>
</Attribute>
<Attribute name="spAuthncontextClassrefMapping">
<Value>PasswordProtectedTransport|0|default</Value>
</Attribute>
<Attribute name="spAuthncontextComparisonType">
<Value>exact</Value>
</Attribute>
<Attribute name="attributeMap">
<Value></Value>
</Attribute>
<Attribute name="saml2AuthModuleName">
<Value></Value>
</Attribute>
<Attribute name="localAuthURL">
<Value></Value>
</Attribute>
<Attribute name="intermediateUrl">
<Value></Value>
</Attribute>
<Attribute name="defaultRelayState">
<Value></Value>
</Attribute>
<Attribute name="assertionTimeSkew">
<Value>300</Value>
</Attribute>
<Attribute name="wantAttributeEncrypted">
<Value></Value>
</Attribute>
<Attribute name="wantAssertionEncrypted">
<Value></Value>
</Attribute>
<Attribute name="wantNameIDEncrypted">
<Value></Value>
</Attribute>
<Attribute name="wantArtifactResponseSigned">
<Value>true</Value>
</Attribute>
<Attribute name="wantLogoutRequestSigned">
<Value>true</Value>
</Attribute>
<Attribute name="wantLogoutResponseSigned ">
<Value>true</Value>
</Attribute>
<Attribute name="wantMNIRequestSigned">
<Value>true</Value>
</Attribute>
<Attribute name="wantMNIResponseSigned">
<Value>true</Value>
</Attribute>
<Attribute name="cotlist">
<Value>saml2_cirlce_of_trust</Value>
</Attribute>
</SPSSOConfig>
</EntityConfig>
|
- © 2010, Oracle Corporation and/or its affiliates