Tuesday, September 30, 2014

Creating a metadata file for WSO2 IS as SP in a federation scenario

In today's' post I would like to share some tips that you will need while creating a metadata file to be used with WSO2 IS.

Use Case :-

With WSO2 IS you have the capability of multiple federation. Some of the IDPs requesting a metadata file in order to register IS as a trusted SP. For this we need to generate a metadata file for IS , but auto generation of metadata file is not available as yet with IS 5.0.0 hence we will have to create this manually.

Following is a general metadata details for IS as SP.




 <EntityDescriptor entityID="carbonServer" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>

        <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

            Location="https://localhost:9443/commonauth"/>

        <KeyDescriptor>

    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

      <ds:X509Data>

        <ds:X509Certificate>

MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJV

UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoM

BFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAy

MTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwN

TW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzO

M4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe

0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXn

RS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcN

AQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTm

xbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogR

Kv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=

        </ds:X509Certificate>

      </ds:X509Data>

    </ds:KeyInfo>

  </KeyDescriptor>

    </SPSSODescriptor>

</EntityDescriptor>




However, certain IdPs might request for more details to be included in a metadata file. You can refer the metadata standard specification at http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf . The X509 data in the above example metadata are of the self signed certificate of WSO2 Identity Server. In a production deployment , you might wanna use your own certificate signed by a CA.

Therefore if you want to extract out the X509 information of your certificate , you can use the following command using java keytool :-

keytool export keystore pathToKeystore rfc alias aliasNameForCertificate

And also you might want to sign the metadata file using different algorithms. A very cool tool that you can use for this is the XmlSecTool which has lot of options.

You can check for the tool at https://wiki.shibboleth.net/confluence/display/SHIB2/XmlSecTool#XmlSecToolSigningSAMLMetadata


Use the following command to sign the metadata file using SHA256 algorithem (or you can use another algorithm according to the requirement ) after running the tool :-

--sign --digest SHA256 --inFile metadata.xml --outFile signedmetadata.xml --referenceIdAttributeName ID --keystore keystore.jks --keystorePassword password --key keyname --keyPassword password