Introduction
Both the Relying Party (RP) and IDP/STS (Security Token Service) support publishing metadata information in a standardized metadata document, for both the WS-Federation and SAML SSO protocols. The metadata document provides an easier way to configure the RP in the IDP/STS or to configure the IDP/STS in the RP.
If WS-Federation is configured then the Federation Metadata document is created as defined here. If SAML-SSO is configured, then the document that is published is defined in the following spec.
IDP/STS
The metadata document of the IDP/STS can be used to resolve IDP/STS configuration information at runtime or during deployment time.
Example: The Microsoft tool FedUtil allows to establish the trust in the RP application to an already existing IDP/STS. You configure the URL of the published metadata document and it generates the federation related configuration in the application configuration file web.config
thus you don't have to configure it manually.
Fediz doesn't provide such kind of tool to generate the IDP/STS related configuration in the Fediz configuration file right now.
WS-Federation
The metadata for the IdP/STS for WS-Federation is published automatically in both of the following URLs
https://<host>:<port>/<context>/FederationMetadata/2007-06/FederationMetadata.xml
https://<host>:<port>/<context>/metadata
For example:
https://localhost:9443/fediz-idp/FederationMetadata/2007-06/FederationMetadata.xml
The WS-Federation metadata document defines the SecurityTokenServiceType describes the capabilities of the IDP/STS:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="..."> <ds:Signature>...</ds:Signature> <RoleDescriptor xsi:type="fed:SecurityTokenServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706" "http://docs.oasis-open.org/ws-sx/ws-trust/200512"> ... </RoleDescriptor> ... </EntityDescriptor>
SAML SSO
The metadata for the IdP/STS for SAML-SSO is published automatically at the URL:
https://<host>:<port>/<context>/metadata
?protocol=saml
For example:
https://localhost:9443/fediz-idp/metadata?protocol=saml
The SAML SSO metadata document defines the IDPSSODescriptor describes the capabilities of the IDP/STS:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="..."> <ds:Signature>...</ds:Signature> <IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> ... </IDPSSODescriptor> ... </EntityDescriptor>
RP
The metadata document of the RP can be used within the IDP/STS to resolve configuration information at runtime. This is pretty useful as it allows to tell the IDP/STS what claims are required by the application. If the application requires additional claims it can be configured on the application side.
Fediz supports publishing the Metadata document on the RP side. This document is built at runtime based on the Fediz configuration.
WS-Federation
It is possible to configure the metadata URL for a WS-Federation relying part application by specifying the 'metadataURI' configuration option. By default, the metadata for the Relying Party for WS-Federation is published at the following URL
https://<host>:<port>/<context>/FederationMetadata/2007-06/FederationMetadata.xml
For example:
https://localhost:9443/fedizhelloworld/FederationMetadata/2007-06/FederationMetadata.xml
The WS-Federation metadata document defines the ApplicationServiceType describes the capabilities of the Relying Party:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="..."> <ds:Signature>...</ds:Signature> <RoleDescriptor xsi:type="fed:ApplicationServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706" "http://docs.oasis-open.org/ws-sx/ws-trust/200512"> ... </RoleDescriptor> ... </EntityDescriptor>
SAML SSO
It is possible to configure the metadata URL for a SAML SSO relying party application by specifying the 'metadataURI' configuration option. By default, the metadata for the Relying Party for SAML SSO is published at the following URL
https://<host>:<port>/<context>/SAML/Metadata.xml
For example:
https://localhost:9443/fedizhelloworld/SAML/Metadata.xml
The SAML SSO metadata document defines the SPSSODescriptor describes the capabilities of the Relying Party:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="..."> <ds:Signature>...</ds:Signature> <SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> ... </SPSSODescriptor> ... </EntityDescriptor>
Example RP Metadata Document
<EntityDescriptor ID="_36BF9BFBF49BA48A2D13395075556522" entityID="https://localhost:8443/fedizhelloworld/" xmlns:auth="http://docs.oasis-open.org/wsfed/federation/200706" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Reference URI="#_36BF9BFBF49BA48A2D13395075556522"> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>GP0clMqrkm58j17R/IlG+ksITDQ=</DigestValue> </Reference> </SignedInfo> <SignatureValue>REMOVED</SignatureValue> <KeyInfo> <X509Data> <X509SubjectName>CN=localhost</X509SubjectName> <X509Certificate>REMOVED</X509Certificate> </X509Data> </KeyInfo> </Signature> <fed:RoleDescriptor protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706" xsi:type="fed:ApplicationServiceType"> <fed:ApplicationServiceEndpoint> <wsa:EndpointReference> <wsa:Address>https://localhost:8443/fedizhelloworld/</wsa:Address> </wsa:EndpointReference> </fed:ApplicationServiceEndpoint> <fed:TargetScope> <wsa:EndpointReference> <wsa:Address/> </wsa:EndpointReference> </fed:TargetScope> <fed:ClaimTypesRequested> <auth:ClaimType Optional="true" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"/> </fed:ClaimTypesRequested> <fed:PassiveRequestorEndpoint> <wsa:EndpointReference> <wsa:Address>https://localhost:9443/fediz-idp/</wsa:Address> </wsa:EndpointReference> </fed:PassiveRequestorEndpoint> </fed:RoleDescriptor> </EntityDescriptor>