Tuesday, September 30, 2014

Creating a metadata file for WSO2 IS as SP in a federation scenario

In today's' post I would like to share some tips that you will need while creating a metadata file to be used with WSO2 IS.

Use Case :-

With WSO2 IS you have the capability of multiple federation. Some of the IDPs requesting a metadata file in order to register IS as a trusted SP. For this we need to generate a metadata file for IS , but auto generation of metadata file is not available as yet with IS 5.0.0 hence we will have to create this manually.

Following is a general metadata details for IS as SP.

 <EntityDescriptor entityID="carbonServer" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">


        <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"



    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">





















However, certain IdPs might request for more details to be included in a metadata file. You can refer the metadata standard specification at http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf . The X509 data in the above example metadata are of the self signed certificate of WSO2 Identity Server. In a production deployment , you might wanna use your own certificate signed by a CA.

Therefore if you want to extract out the X509 information of your certificate , you can use the following command using java keytool :-

keytool export keystore pathToKeystore rfc alias aliasNameForCertificate

And also you might want to sign the metadata file using different algorithms. A very cool tool that you can use for this is the XmlSecTool which has lot of options.

You can check for the tool at https://wiki.shibboleth.net/confluence/display/SHIB2/XmlSecTool#XmlSecToolSigningSAMLMetadata

Use the following command to sign the metadata file using SHA256 algorithem (or you can use another algorithm according to the requirement ) after running the tool :-

--sign --digest SHA256 --inFile metadata.xml --outFile signedmetadata.xml --referenceIdAttributeName ID --keystore keystore.jks --keystorePassword password --key keyname --keyPassword password

No comments:

Post a Comment