How to generate saml 2.0 sso service metadata

Asked 11/6, 2015 at 13:54 Answered 25/6, 2018 at 13:15

We have created many SAML implementations in the past. Normally, the client would send us SAML XML data containing key info, user info, certificate , etc and we would parse the info, match key and certificates. And get user's unique identifier from the xml and then Authenticate the user based on whether he is present in our database or not and send logged in user to some page of our domain. (I have a secondary question to ask here: Does that make us Saml IdentityProvider or ServiceProvider).

Anyway, Now this one particular client is asking us to send them the SAML SSO Metadata files. They say that In order for them to deploy a federation from their environment into our environment they need a copy of our SAML SSO Service Metadata as specified here http://en.wikipedia.org/wiki/SAML_2.0#SSO_Service_Metadata

So what do i do? We have never has such a request before. We dont use any third party tools but have built a custom implementation of SAML using c# and Visual Studio. Please help.

Dario answered 11/6, 2015 at 13:54 Comment(0)

You can also generate it for both Idp and SP using the SimpleSAML tool if you don't feel like hand crafting it.

Fafnir answered 4/11, 2015 at 19:33 Comment(0)

If you handle the authentication, you are the IDP.

The customer is correct - that's the way SAML normally works - both sides swap metadata. The metadata describes what profile, what binding, the certificate, the format of the NameID etc. etc.

Having done a lot of these, I'm somewhat bemused. I've never dealt with an IDP who couldn't provide metadata!

There are .NET 4.5 classes - System.IdentityModel.Metadata to do this.

Have a look at the open source code to generate metadata in IdentityServer.

(Note: this is WS-Fed only but the principle is the same).

Chingchinghai answered 11/6, 2015 at 19:17 Comment(4)

I saw the documentation. Looks like it is for OAuth and OpenID Connect, and not saml. Anyway, the certificate we as idp send to the ssp, how do we generate that certificate. Any idea ? – Dario 15/6, 2015 at 8:39

No, Identityserver definitely has WS-Fed metadata. The certificate is the one you use for token signing. This can either be a purchased CA certificate or self-signed. Typically the metadata contains the public key of the signing certificate. – Chingchinghai 15/6, 2015 at 18:47

Ok. So how do i generate the meta data file as speified here : en.wikipedia.org/wiki/SAML_2.0#SSO_Service_Metadata – Dario 16/6, 2015 at 10:52

Easiest is just to hand craft it - it's just XML. You'll have to decide what bindings etc. You say you have done many SAML implementations in the past. Use Firefox with SAML Tracer add-on and see what your current metadata examples look like. – Chingchinghai 16/6, 2015 at 18:53

You can generate SAML IdP metadata from here: https://www.samltool.com/idp_metadata.php

You can generate SAML SP metadata form here: https://www.samltool.com/sp_metadata.php

Metadata is an simple xml file which describe your organization details such name, display name, technical contact details, public key for sigining, public key for encryption etc.

Here is the sample data from OneLogin SSO provider:

<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://app.onelogin.com/saml/metadata/703037">
  <IDPSSODescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIELDCCAxSgAwIBAgIUa0r3l1uIkdnRLn5tmlWFHhQ9b5IwDQYJKoZIhvcNAQEF
BQAwXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoMDlRlc3QgT25lIExvZ2luMRUwEwYD
VQQLDAxPbmVMb2dpbiBJZFAxIDAeBgNVBAMMF09uZUxvZ2luIEFjY291bnQgMTE0
MTM0MB4XDTE3MDkxMzA3MjgzNVoXDTIyMDkxNDA3MjgzNVowXzELMAkGA1UEBhMC
VVMxFzAVBgNVBAoMDlRlc3QgT25lIExvZ2luMRUwEwYDVQQLDAxPbmVMb2dpbiBJ
ZFAxIDAeBgNVBAMMF09uZUxvZ2luIEFjY291bnQgMTE0MTM0MIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAybMji6l2E/j02P9alspmrKZATV5xQeJ//qp2
Zm+9q52PQ7htY6ijyKjugFZX9AXsi80eZ59RxGenZSig5qTLIl890KTyyv/iPwBN
Nv3K22A8LXtX2R+Jf96brBCDsskbmWmfZrvW6spDwVN8bXfMiP9qDRed6KzgDiSZ
YKkKH7ylMMNLx6Csgj9kbuvr5E9kDs+xoBdqGoeEFbqVsjKupm4MDrQp5S47b8lQ
TwMcVI2LbZhHVhcFlGDLaZ2p1EFwHhyT8KLPI+aiyA6lRbZjtdgZT1IxzN1DcF+f
JLrr5MqwNbdVpNg5C4cBokrr4FLieKjAz5A5Wp37q7pNgE4J2wIDAQABo4HfMIHc
MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFO3qhBXpJjAq4QE5MTOQM9Qdg+UNMIGc
BgNVHSMEgZQwgZGAFO3qhBXpJjAq4QE5MTOQM9Qdg+UNoWOkYTBfMQswCQYDVQQG
EwJVUzEXMBUGA1UECgwOVGVzdCBPbmUgTG9naW4xFTATBgNVBAsMDE9uZUxvZ2lu
IElkUDEgMB4GA1UEAwwXT25lTG9naW4gQWNjb3VudCAxMTQxMzSCFGtK95dbiJHZ
0S5+bZpVhR4UPW+SMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEA
vXydLuW8t22GaDkLDD1CgVDdVkzwUg1UxlnS0bYaENQZIzxzIPk5DW/D8CFLqt3v
kW99KrZBrfCdkcWxvpTQb+Rd9l/eYY4CQazkC8xDrR/alJoHwFX6ROB9QcNUDgu2
ACZ2Mvsy6tRHt2a4JYdy2WImLptVeoO+NaNgKJzohbuBzvaqwqLWmn421g6v5iuy
SyNPBGio5SoZPus3ULFeTeqgFrnbbOpRbDpViCdsI2BbjW9xKQu2KEhX2J5aMYTr
qRdV0lH8BS57/sG0ewcAThg8CdCzi7tCOZtnihdhDT+EVKiiXpZueYJNWTpDDe7I
96e8+UD2AxCcW1YLw7vXMA==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://dnb-dev.onelogin.com/trust/saml2/http-redirect/slo/703037"/>

      <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>

    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://dnb-dev.onelogin.com/trust/saml2/http-redirect/sso/703037"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://dnb-dev.onelogin.com/trust/saml2/http-post/sso/703037"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://dnb-dev.onelogin.com/trust/saml2/soap/sso/703037"/>
  </IDPSSODescriptor>
</EntityDescriptor>

Drabble answered 25/6, 2018 at 13:15 Comment(1)

FWIW, if you actually use that tool, all you get is the first few lines of the metadata file, and it doesn't include the meat (the part that everyone actually needs), the certificates used for signing and/or encrypting the SAML assertion as well as the list of attributes to pass. For those that have hand build SAML implementations, the answer seems to be "copy someone else's metadata file and use it as a template to hand create your own". – Unintelligent 24/3, 2023 at 16:54

Recommended topics

Hot tags