Login/Register
How to create federation metadata XML for "Relying Party Trust" and "Claims Provider Trusts" for ADFS 2.0
Asked Answered
Solved metadataadfs2.0federation
C

4

28

One of our web app would like to connect with ADFS 2.0 server to get credential token and check the user roles based on that. The ADFS server admin asked us to give them a federation metadata XML file to let them create Relying Party Trusts. I googled and only find how to download the ADFS server's federation metadata XML using URL - https://[adfs server name]/federationmetadata/2007-06/federationmetadata.xml But could didn't find any guide to create a federation metadata XML for creating "Relying Party Trust" and "Claims Provider Trusts". Is there a tools for creating those metadata files? Please share some idea for how to create.

Thanks

Lu

Answer my own question:

I found the Federation Utility tools in WindowsIdentityFoundation-SDK-4.0 at http://www.microsoft.com/en-ca/download/details.aspx?id=4451 will do it.

Concessive answered 21/11, 2014 at 15:31 Comment(4)
Can you please help. How did you created federation metadata using this tool. I have also tried this tool. It asked for web.config path & URI. After that 3 option is there 1.No STS 2. Create New STS (Diasbled) 3.Use an existing STS. But why second option is disabled.Rogue
Use 3rd option. Enter your application web.config file path as web.config path And use ADFS Server's metadata urlGussie
Just to note that it's easy to add RP to ADFS manually - no metadata required.Crazed
The link provided is broken.Lib
C
35

Actually the URL is 

https://server/federationmetadata/2007-06/federationmetadata.xml

There are no tools that I an aware of.

You can use the Microsoft.IdentityModel.Protocols.WSFederation.Metadata class or refer Generating Federation Metadata Dynamically.

Have a look at "Thinktecture.IdentityServer.v2 / src / Libraries / Thinktecture.IdentityServer.Protocols / FederationMetadata" over at Thinktecture.IdentityServer.v2.

Or if your application uses WIF it's in the metadata directory.

Update:

In WIF, unless you want to the token to be encrypted, you don't need the certificate. That's more for the ADFS side as it has to sign the token and the app. needs the public key to verify.

Example:

<?xml version="1.0" encoding="utf-8"?>
<EntityDescriptor ID="_5b6cd05c-a5e3-470d-a2fc-6c6f66633d1b" entityID="http://localhost/app/" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <RoleDescriptor xsi:type="fed:ApplicationServiceType" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <fed:ClaimTypesRequested>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />
        </fed:ClaimTypesRequested>
        <fed:TargetScopes>
            <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
                <Address>http://localhost/app/</Address>
            </EndpointReference>
        </fed:TargetScopes>
        <fed:PassiveRequestorEndpoint>
            <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
                <Address>http://localhost/app/</Address>
            </EndpointReference>
        </fed:PassiveRequestorEndpoint>
    </RoleDescriptor>
</EntityDescriptor>

where localhost\app\ needs to be your app's URL. Note end slash!

Crazed answered 23/11, 2014 at 18:30 Comment(1)
How can I get "ResourceUrl" for ADFS 3.0 openId connection?Expertise
D
16

I had to do this recently, having never used .Net or ADFS before, and having only the server (STS) metadata URL that I was trying to integrate with. I had a basic Windows 10 PC and was trying to set up a Node.js webapp as an RP. This is what I did:

  1. On the Win 10 PC, went to Control Panel -> Programs and Features -> Turn Windows features on or off -> Enable Windows Identity Foundation 3.5

  2. Installed Windows Identity Foundation SDK 4.0 (as referred to by the original author).

  3. Created a basic Web.config file which contained:

    <?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.web>

  </system.web>
</configuration>

  4. In the SDK installation directory, I found FedUtil.exe and FedUtilSampleUserInput.xml. The sample file explained all the parameters that FedUtil.exe was going to ask for, which was very helpful.

  5. Launched FedUtil.exe as Administrator (right-click in File Explorer), providing the Web.config file I just created, the webapp URL, the server (STS) metadata URL as the "existing STS", and selecting to create a new default certificate.

  6. Lo and behold, a FederationMetadata.xml file was generated and my Web.config file was updated automatically.

  7. I then un-commented some of the claim types in the updated Web.config file and re-ran FedUtil.exe, which then updated my FederationMetadata.xml with the additional claim types that I needed from the STS (e.g., email, given name, surname)

  8. Provided the FederationMetadata.xml to the STS admin, which worked!

Only downside is that this all required a Windows machine ... I'm not sure what I would have done on Mac or Linux!

Disputable answered 17/5, 2017 at 6:55 Comment(1)
Hi Richard, can you help me further? I wanted to integrate my website with one of the client's adfs server. I googled lot. I am very new to ADFSGussie
H
4

For creating SAML RP Metadata there is a web based tool available at samltool.com which can help out. I haven't found one for WS-Federation other than the Federation Utility...

I also recently discovered the site rcFederation which supports AD FS / WS-Federation

Harkey answered 20/2, 2017 at 17:58 Comment(0)
M
0

Metadata xml for creating "Replaying party trust" is not ADFS federation metadta, but SP (Saml issuer)'s metadata xml.

Malleus answered 11/3, 2016 at 16:45 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.