You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Fediz Metadata

Both the Relying Party (RP) and IDP/STS (Security Token Service) can publish its Federation information in the standardized federation metadata document as defined here.

Introduction

This specification defines concrete service roles. The ApplicationServiceType describes the capabilities of the Relying Party whereas the SecurityTokenServiceType describes the capabilities of the IDP/STS.

The following xml snippets are copied from the spec to illustrate the structure:

  • Relying Party
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
   xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
   xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
   entityID="...">
   <ds:Signature>...</ds:Signature>
   <RoleDescriptor xsi:type="fed:ApplicationServiceType"
          protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706"
          "http://docs.oasis-open.org/ws-sx/ws-trust/200512">
          ...
   </RoleDescriptor>
   ...
</EntityDescriptor>
  • IDP / STS
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
   xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
   xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
   entityID="...">
   <ds:Signature>...</ds:Signature>
   <RoleDescriptor xsi:type="fed:SecurityTokenServiceType"
          protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706"
          "http://docs.oasis-open.org/ws-sx/ws-trust/200512">
          ...
   </RoleDescriptor>
   ...
</EntityDescriptor>

Usage

The Federation metadata document is an easier way to configure the RP in the IDP/STS or to configure the IDP/STS in the RP. The following two sections describe the usage of each case.

Metadata document of IDP/STS

The federation metadata document of the IDP/STS can be used to resolve IDP/STS configuration information at runtime or during deployment time.

Example: The Microsoft tool FedUtil allows to establish the trust in the RP application to an already existing IDP/STS. You configure the URL of the published metadata document and it generates the federation related configuration in the application configuration file web.config thus you don't have to configure it manually.

Fediz doesn't provide such kind of tool to generate the IDP/STS related configuration in the Fediz configuration file right now.

Metadata document of RP

The federation metadata document of the RP can be used within the IDP/STS to resolve configuration information at runtime. This is pretty useful as it allows to tell the IDP/STS what claims are required by the application. If the application requires additional claims it can be configured on the application side.

Fediz supports publishing the Metadata document on the RP side. This document is built at runtime based on the Fediz configuration.

The syntax of the url is:

https://<host>:<port>/<context>/FederationMetadata/2007-06/FederationMetadata.xml

The Fediz example applications have got the context fedizhelloworld.

This is an example metadata document:

<EntityDescriptor ID="_36BF9BFBF49BA48A2D13395075556522" entityID="https://localhost:8443/fedizhelloworld/" 
   xmlns:auth="http://docs.oasis-open.org/wsfed/federation/200706" 
   xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" 
   xmlns:wsa="http://www.w3.org/2005/08/addressing" 
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
      <SignedInfo>
         <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
         <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
         <Reference URI="#_36BF9BFBF49BA48A2D13395075556522">
            <Transforms>
               <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <DigestValue>GP0clMqrkm58j17R/IlG+ksITDQ=</DigestValue>
         </Reference>
      </SignedInfo>
      <SignatureValue>REMOVED</SignatureValue>
      <KeyInfo>
         <X509Data>
            <X509SubjectName>CN=localhost</X509SubjectName>
            <X509Certificate>REMOVED</X509Certificate>
         </X509Data>
      </KeyInfo>
   </Signature>
   <fed:RoleDescriptor protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706" 
      xsi:type="fed:ApplicationServiceType">
      <fed:ApplicationServiceEndpoint>
         <wsa:EndpointReference>
            <wsa:Address>https://localhost:8443/fedizhelloworld/</wsa:Address>
         </wsa:EndpointReference>
      </fed:ApplicationServiceEndpoint>
      <fed:TargetScope>
         <wsa:EndpointReference>
            <wsa:Address/>
         </wsa:EndpointReference>
         </fed:TargetScope>
      <fed:ClaimTypesRequested>
         <auth:ClaimType Optional="true" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"/>
      </fed:ClaimTypesRequested>
      <fed:PassiveRequestorEndpoint>
         <wsa:EndpointReference>
            <wsa:Address>https://localhost:9443/fediz-idp/</wsa:Address>
         </wsa:EndpointReference>
      </fed:PassiveRequestorEndpoint>
   </fed:RoleDescriptor>
</EntityDescriptor>
  • No labels