Hi all,
Currently the WSO2 Identity Server does not allow the users to import or
export SAML service provider and identity provider configuration details in
SAML metadata format. There has been some work done for this feature
already. But it does not save all the configuration details as metadata
file and it is not integrated with the Identity Server yet.
I am currently working on adding this functionality. I have divided the
development of this feature into 3 stages.
1. save the configurations done using the management console user
interface, in SAML metadata format.
2. add the export functionality
3. add the import functionality
We have planed to keep 2 copies of the metadata file, the initial file and
an editable file. This is done because the initial file may contain digital
signatures and if we change the same file and save it, the signature values
may not be valid there after.
I have faced some problems while working on this feature,
1. SAML metadata specification support multiple assertion consumer
services, single logout services, and attribute consuming services.
Currently Identity Server support one of each of these. While saving the
metadata configured through the user interface this will be fine. But if a
user upload a metadata file with multiple of these, what should be selected?
2. Currently user interface can't specify the binding of a assertion
consumer service and single logout service which is required attribute in
each of these.
3. In the Identity Server, users can enable single logout but adding an
single logout url is not essential. But in SAML metadata the binding and
location is essential for a single logout service. When the url is not
specified, the logout request is send to the assertion consumer url. So I
guess it is okay to save the assertion consumer service url as the single
logout service url.
Below is a sample metadata file for a SAML service provider configuration.
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="test19">
<md:Extensions>
<wso2:UseFullyQualifiedUsername
xmlns:wso2="org.wso2">true</wso2:UseFullyQualifiedUsername>
<wso2:DoSignResponse xmlns:wso2="org.wso2">true</wso2:DoSignResponse>
<wso2:IdPInitSSOEnabled
xmlns:wso2="org.wso2">true</wso2:IdPInitSSOEnabled>
<wso2:RequestedAudiences xmlns:wso2="org.wso2">
<wso2:Audience>Audience1</wso2:Audience>
</wso2:RequestedAudiences>
<wso2:RequestedRecipients xmlns:wso2="org.wso2">
<wso2:Recipient>Recipient1</wso2:Recipient>
</wso2:RequestedRecipients>
<wso2:DoEnableEncryptedAssertion
xmlns:wso2="org.wso2">true</wso2:DoEnableEncryptedAssertion>
</md:Extensions>
<md:SPSSODescriptor AuthnRequestsSigned="true"
WantAssertionsSigned="true">
<md:KeyDescriptor>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:KeyName>verisignclass3g2ca</ds:KeyName>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
https://logout.com"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="
https://test19.com"; index="0"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
Please give any suggestions for the problems I have faced and to improve
the current plan.
Thank you.
--
Maduranga Siriwardena
Software Engineer
WSO2 Inc.
email: madura...@wso2.com, mobile: +94718990591
_______________________________________________
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
