Introduction

Both the Relying Party (RP) and IDP/STS (Security Token Service) support publishing metadata information in a standardized metadata document, for both the WS-Federation and SAML SSO protocols. The metadata document provides an easier way to configure the RP in the IDP/STS or to configure the IDP/STS in the RP.

If WS-Federation is configured then the Federation Metadata document is created as defined here. If SAML-SSO is configured, then the document that is published is defined in the following spec.

IDP/STS

The metadata document of the IDP/STS can be used to resolve IDP/STS configuration information at runtime or during deployment time.

Example: The Microsoft tool FedUtil allows to establish the trust in the RP application to an already existing IDP/STS. You configure the URL of the published metadata document and it generates the federation related configuration in the application configuration file web.config thus you don't have to configure it manually.

Fediz doesn't provide such kind of tool to generate the IDP/STS related configuration in the Fediz configuration file right now.

WS-Federation

The metadata for the IdP/STS for WS-Federation is published automatically in both of the following URLs

https://<host>:<port>/<context>/FederationMetadata/2007-06/FederationMetadata.xml

https://<host>:<port>/<context>/metadata

For example:

https://localhost:9443/fediz-idp/FederationMetadata/2007-06/FederationMetadata.xml

The WS-Federation metadata document defines the SecurityTokenServiceType describes the capabilities of the IDP/STS:

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
   xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
   xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
   entityID="...">
   <ds:Signature>...</ds:Signature>
   <RoleDescriptor xsi:type="fed:SecurityTokenServiceType"
          protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706"
          "http://docs.oasis-open.org/ws-sx/ws-trust/200512">
          ...
   </RoleDescriptor>
   ...
</EntityDescriptor>

SAML SSO

The metadata for the IdP/STS for SAML-SSO is published automatically at the URL:

https://<host>:<port>/<context>/metadata?protocol=saml

For example:

https://localhost:9443/fediz-idp/metadata?protocol=saml

The SAML SSO metadata document defines the IDPSSODescriptor describes the capabilities of the IDP/STS:

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
   xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
   xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
   entityID="...">
   <ds:Signature>...</ds:Signature>
   <IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
       ... 
   </IDPSSODescriptor>
   ...
</EntityDescriptor>

RP

The metadata document of the RP can be used within the IDP/STS to resolve configuration information at runtime. This is pretty useful as it allows to tell the IDP/STS what claims are required by the application. If the application requires additional claims it can be configured on the application side.

Fediz supports publishing the Metadata document on the RP side. This document is built at runtime based on the Fediz configuration.

WS-Federation

It is possible to configure the metadata URL for a WS-Federation relying part application by specifying the 'metadataURI' configuration option. By default, the metadata for the Relying Party for WS-Federation is published at the following URL

https://<host>:<port>/<context>/FederationMetadata/2007-06/FederationMetadata.xml

For example:

https://localhost:9443/fedizhelloworld/FederationMetadata/2007-06/FederationMetadata.xml

The WS-Federation metadata document defines the ApplicationServiceType describes the capabilities of the Relying Party:

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
   xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
   xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
   entityID="...">
   <ds:Signature>...</ds:Signature>
   <RoleDescriptor xsi:type="fed:ApplicationServiceType"
          protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706"
          "http://docs.oasis-open.org/ws-sx/ws-trust/200512">
          ...
   </RoleDescriptor>
   ...
</EntityDescriptor>

SAML SSO

It is possible to configure the metadata URL for a SAML SSO relying party application by specifying the 'metadataURI' configuration option. By default, the metadata for the Relying Party for SAML SSO is published at the following URL

https://<host>:<port>/<context>/SAML/Metadata.xml

For example:

https://localhost:9443/fedizhelloworld/SAML/Metadata.xml

The SAML SSO metadata document defines the SPSSODescriptor describes the capabilities of the Relying Party:

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
   xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
   xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
   entityID="...">
   <ds:Signature>...</ds:Signature>
   <SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
          ...
   </SPSSODescriptor>
   ...
</EntityDescriptor>

Example RP Metadata Document

<EntityDescriptor ID="_36BF9BFBF49BA48A2D13395075556522" entityID="https://localhost:8443/fedizhelloworld/" 
   xmlns:auth="http://docs.oasis-open.org/wsfed/federation/200706" 
   xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" 
   xmlns:wsa="http://www.w3.org/2005/08/addressing" 
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
      <SignedInfo>
         <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
         <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
         <Reference URI="#_36BF9BFBF49BA48A2D13395075556522">
            <Transforms>
               <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <DigestValue>GP0clMqrkm58j17R/IlG+ksITDQ=</DigestValue>
         </Reference>
      </SignedInfo>
      <SignatureValue>REMOVED</SignatureValue>
      <KeyInfo>
         <X509Data>
            <X509SubjectName>CN=localhost</X509SubjectName>
            <X509Certificate>REMOVED</X509Certificate>
         </X509Data>
      </KeyInfo>
   </Signature>
   <fed:RoleDescriptor protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706" 
      xsi:type="fed:ApplicationServiceType">
      <fed:ApplicationServiceEndpoint>
         <wsa:EndpointReference>
            <wsa:Address>https://localhost:8443/fedizhelloworld/</wsa:Address>
         </wsa:EndpointReference>
      </fed:ApplicationServiceEndpoint>
      <fed:TargetScope>
         <wsa:EndpointReference>
            <wsa:Address/>
         </wsa:EndpointReference>
         </fed:TargetScope>
      <fed:ClaimTypesRequested>
         <auth:ClaimType Optional="true" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"/>
      </fed:ClaimTypesRequested>
      <fed:PassiveRequestorEndpoint>
         <wsa:EndpointReference>
            <wsa:Address>https://localhost:9443/fediz-idp/</wsa:Address>
         </wsa:EndpointReference>
      </fed:PassiveRequestorEndpoint>
   </fed:RoleDescriptor>
</EntityDescriptor>

Apache CXF

Users

Search

Developers

Subprojects

ASF

Introduction

IDP/STS

WS-Federation

SAML SSO

RP

WS-Federation

SAML SSO

Example RP Metadata Document