Hi all, Currently the WSO2 Identity Server does not allow the users to import or export SAML service provider and identity provider configuration details in SAML metadata format. There has been some work done for this feature already. But it does not save all the configuration details as metadata file and it is not integrated with the Identity Server yet.
I am currently working on adding this functionality. I have divided the development of this feature into 3 stages. 1. save the configurations done using the management console user interface, in SAML metadata format. 2. add the export functionality 3. add the import functionality We have planed to keep 2 copies of the metadata file, the initial file and an editable file. This is done because the initial file may contain digital signatures and if we change the same file and save it, the signature values may not be valid there after. I have faced some problems while working on this feature, 1. SAML metadata specification support multiple assertion consumer services, single logout services, and attribute consuming services. Currently Identity Server support one of each of these. While saving the metadata configured through the user interface this will be fine. But if a user upload a metadata file with multiple of these, what should be selected? 2. Currently user interface can't specify the binding of a assertion consumer service and single logout service which is required attribute in each of these. 3. In the Identity Server, users can enable single logout but adding an single logout url is not essential. But in SAML metadata the binding and location is essential for a single logout service. When the url is not specified, the logout request is send to the assertion consumer url. So I guess it is okay to save the assertion consumer service url as the single logout service url. Below is a sample metadata file for a SAML service provider configuration. <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="test19"> <md:Extensions> <wso2:UseFullyQualifiedUsername xmlns:wso2="org.wso2">true</wso2:UseFullyQualifiedUsername> <wso2:DoSignResponse xmlns:wso2="org.wso2">true</wso2:DoSignResponse> <wso2:IdPInitSSOEnabled xmlns:wso2="org.wso2">true</wso2:IdPInitSSOEnabled> <wso2:RequestedAudiences xmlns:wso2="org.wso2"> <wso2:Audience>Audience1</wso2:Audience> </wso2:RequestedAudiences> <wso2:RequestedRecipients xmlns:wso2="org.wso2"> <wso2:Recipient>Recipient1</wso2:Recipient> </wso2:RequestedRecipients> <wso2:DoEnableEncryptedAssertion xmlns:wso2="org.wso2">true</wso2:DoEnableEncryptedAssertion> </md:Extensions> <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true"> <md:KeyDescriptor> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:KeyName>verisignclass3g2ca</ds:KeyName> </ds:KeyInfo> </md:KeyDescriptor> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" https://logout.com"/> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" https://test19.com" index="0"/> </md:SPSSODescriptor> </md:EntityDescriptor> Please give any suggestions for the problems I have faced and to improve the current plan. Thank you. -- Maduranga Siriwardena Software Engineer WSO2 Inc. email: madura...@wso2.com, mobile: +94718990591
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture