stackoom
  简体   繁体   中英

How to generate saml 2.0 sso service metadata

 原文  2015-06-11 13:54:59       c#/ asp.net/ saml/ saml-2.0

Question

We have created many SAML implementations in the past. Normally, the client would send us SAML XML data containing key info, user info, certificate , etc and we would parse the info, match key and certificates. And get user's unique identifier from the xml and then Authenticate the user based on whether he is present in our database or not and send logged in user to some page of our domain. (I have a secondary question to ask here: Does that make us Saml IdentityProvider or ServiceProvider).

Anyway, Now this one particular client is asking us to send them the SAML SSO Metadata files. They say that In order for them to deploy a federation from their environment into our environment they need a copy of our SAML SSO Service Metadata as specified here http://en.wikipedia.org/wiki/SAML_2.0#SSO_Service_Metadata

So what do i do? We have never has such a request before. We dont use any third party tools but have built a custom implementation of SAML using c# and Visual Studio. Please help.

3 answers

solution1
 1  2015-06-11 19:17:39

If you handle the authentication, you are the IDP.

The customer is correct - that's the way SAML normally works - both sides swap metadata. The metadata describes what profile, what binding, the certificate, the format of the NameID etc. etc.

Having done a lot of these, I'm somewhat bemused. I've never dealt with an IDP who couldn't provide metadata!

There are .NET 4.5 classes - System.IdentityModel.Metadata to do this.

Have a look at the open source code to generate metadata in IdentityServer .

(Note: this is WS-Fed only but the principle is the same).

solution2
 1  2015-11-04 19:33:23

如果您不想手工制作,也可以使用SimpleSAML工具为Idp和SP生成它。

solution3
 1  2018-06-25 13:15:41

You can generate SAML IdP metadata from here: https://www.samltool.com/idp_metadata.php

You can generate SAML SP metadata form here: https://www.samltool.com/sp_metadata.php

Metadata is an simple xml file which describe your organization details such name, display name, technical contact details, public key for sigining, public key for encryption etc.

Here is the sample data from OneLogin SSO provider: 

<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://app.onelogin.com/saml/metadata/703037">
  <IDPSSODescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIELDCCAxSgAwIBAgIUa0r3l1uIkdnRLn5tmlWFHhQ9b5IwDQYJKoZIhvcNAQEF
BQAwXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoMDlRlc3QgT25lIExvZ2luMRUwEwYD
VQQLDAxPbmVMb2dpbiBJZFAxIDAeBgNVBAMMF09uZUxvZ2luIEFjY291bnQgMTE0
MTM0MB4XDTE3MDkxMzA3MjgzNVoXDTIyMDkxNDA3MjgzNVowXzELMAkGA1UEBhMC
VVMxFzAVBgNVBAoMDlRlc3QgT25lIExvZ2luMRUwEwYDVQQLDAxPbmVMb2dpbiBJ
ZFAxIDAeBgNVBAMMF09uZUxvZ2luIEFjY291bnQgMTE0MTM0MIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAybMji6l2E/j02P9alspmrKZATV5xQeJ//qp2
Zm+9q52PQ7htY6ijyKjugFZX9AXsi80eZ59RxGenZSig5qTLIl890KTyyv/iPwBN
Nv3K22A8LXtX2R+Jf96brBCDsskbmWmfZrvW6spDwVN8bXfMiP9qDRed6KzgDiSZ
YKkKH7ylMMNLx6Csgj9kbuvr5E9kDs+xoBdqGoeEFbqVsjKupm4MDrQp5S47b8lQ
TwMcVI2LbZhHVhcFlGDLaZ2p1EFwHhyT8KLPI+aiyA6lRbZjtdgZT1IxzN1DcF+f
JLrr5MqwNbdVpNg5C4cBokrr4FLieKjAz5A5Wp37q7pNgE4J2wIDAQABo4HfMIHc
MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFO3qhBXpJjAq4QE5MTOQM9Qdg+UNMIGc
BgNVHSMEgZQwgZGAFO3qhBXpJjAq4QE5MTOQM9Qdg+UNoWOkYTBfMQswCQYDVQQG
EwJVUzEXMBUGA1UECgwOVGVzdCBPbmUgTG9naW4xFTATBgNVBAsMDE9uZUxvZ2lu
IElkUDEgMB4GA1UEAwwXT25lTG9naW4gQWNjb3VudCAxMTQxMzSCFGtK95dbiJHZ
0S5+bZpVhR4UPW+SMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEA
vXydLuW8t22GaDkLDD1CgVDdVkzwUg1UxlnS0bYaENQZIzxzIPk5DW/D8CFLqt3v
kW99KrZBrfCdkcWxvpTQb+Rd9l/eYY4CQazkC8xDrR/alJoHwFX6ROB9QcNUDgu2
ACZ2Mvsy6tRHt2a4JYdy2WImLptVeoO+NaNgKJzohbuBzvaqwqLWmn421g6v5iuy
SyNPBGio5SoZPus3ULFeTeqgFrnbbOpRbDpViCdsI2BbjW9xKQu2KEhX2J5aMYTr
qRdV0lH8BS57/sG0ewcAThg8CdCzi7tCOZtnihdhDT+EVKiiXpZueYJNWTpDDe7I
96e8+UD2AxCcW1YLw7vXMA==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://dnb-dev.onelogin.com/trust/saml2/http-redirect/slo/703037"/>

      <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>

    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://dnb-dev.onelogin.com/trust/saml2/http-redirect/sso/703037"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://dnb-dev.onelogin.com/trust/saml2/http-post/sso/703037"/>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://dnb-dev.onelogin.com/trust/saml2/soap/sso/703037"/>
  </IDPSSODescriptor>
</EntityDescriptor>

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to enable saml 2.0 sso in asp.net website How to implement SSO using SAML 2.0 without using WIF? SAML SSO - how does it work with multiple service providers How to use saml sso with webforms How do you implement SAML for SSO with Influitive? How to form SAML request for SSO to another domain? How do I configure my SAML Service Provider to send metadata to the Identity Provider? How can I generate Service Model Metadata without rebooting How can I generate the metadata for my OData service .NET Desktop (Non-web) application using SAML 2.0 SSO with a Kerberos Token
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM