We are a service provider only and have our local information defined in a metadata file that we have posted to a couple of federations, as well as given out to customers.
For the federations external IdP configurations, we have loaded the metadata directly into our database (specifically for the federations, but allow custom IdP’s as well) and are programmatically loading it from there.
Now, as I am trying to setup our local service provider, I can’t find a way to use a metadata file to configure it. I would rather use the same metadata file that we hand out to both the IdPs and the federations.
thanks
The SAML metadata is a mechanism for exchanging SAML configuration. It is too limiting and a little cumbersome for the actual SAML configuration required to drive the SAML API. You can certainly read the SAML metadata and then use this to construct the SAML configuration programmatically.
The high-level API ExampleServiceProvider includes a SAML/ImportMetadata.aspx page which demonstrates taking SAML metadata and generating SAML configuration from it. There's also a SAML/ExportMetadata.aspx page which generates SAML metadata from SAML configuration.
I may not have fully understood your question so please feel free to post again if you have more questions.
Here is my example. I start by loading the configuraiton with the database
SAMLConfiguration configuration;
//SNIP code to populate from database
If I attempt to load the local service provider by passing in XML, it fails
xmlDocument = new XmlDocument();
xmldocument.PreserveWhitespace = true;
xmldocument.Load(filename);
configuration.LocalServiceProviderConfiguration = new LocalServiceProviderConfiguration(xmldocument.DocumentElement);
My guess is that the constructor takes the top of xml that is in your saml.config format.
Then I attempted to do it manually
xmlDocument = new XmlDocument();
xmldocument.PreserveWhitespace = true;
xmldocument.Load(filename);
serviceProvider = new SAMLConfiguration();
certificates = new List();
MetadataImporter.Import(entitiesDescriptor, serviceProvider, certificates);
configuration.LocalServiceProviderConfiguration = new LocalServiceProviderConfiguration();
configuration.LocalServiceProviderConfiguration.AssertionConsumerServiceUrl = serviceProvider.PartnerServiceProviderConfigurations[“https://onepass.thomsonreuters.com/entity”].AssertionConsumerServiceUrl;
configuration.LocalServiceProviderConfiguration.Description = serviceProvider.PartnerServiceProviderConfigurations[“https://onepass.thomsonreuters.com/entity”].Description;
But I am not sure if that is how I should go about it. And I don’t see a way to specify the certificate.
Am I going down the correct path?
How do I specify the certificate?
Yes, you're correct. The LocalServiceProviderConfiguration constructor expects the SAML configuration format XML rather than SAML metadata.
The MetadataImporter.Import method updates the SAML configuration with information from the SAML metadata.
Some information will not be included in the SAML metadata and must be specified directly. This includes your assertion consumer service URL etc.
MetadataImporter.Import will set the PartnerCertificateFile property to a name derived from the certificate's serial number. You can always set this to a different value if required.
The MetadataImporter.SaveCertificate method saves certificates from the metadata onto the file system. The ExampleServiceProvider's SAML/ImportMetadata.aspx demonstrates calling this method.
You're on the correct path. You just need to save the certificates from the SAML metadata and also, I suggest, take a look at the generated SAML configuration XML so you can see what the MetadataImporter.Import method has generated.
I can’t use the saml.config file, because we are programmatically configuring it from a database for all the IdP’s.
Just trying to find a way to setup my end of the connection programmatically as well (no saving the cert, or the saml.config file).
Sure, I understand that. I just meant that, as a debug aid, you could take a look at the generated SAML configuration by serializing it to XML. There is no requirement to use a saml.config file.
Sure, but that isn’t my question.
The question is HOW do I take a metadata XML file (with a certificate embedded) and use that certificate as the local service provider’s certificate programmatically. I can’t find any examples on your site, as they all use the saml.config file.
The certificate in your SAML metadata includes the public key only. The local service provider’s certificate must include the private key. You won’t be able to load the local service provider’s certificate from the SAML metadata.
Where will you be storing your certificate including its private key? The typical options are: on the file system as a PFX file; in the Windows certificate store; or in a database as a blob.