We are testing SSO in our environment and have a simple IdP and SP set up and working. We are now ready to test integration of this simple IdP with our SP. They have asked for a Metadata file and I’m trying to create one. I’m sure we could get by without the Metadata in a file, but it seems cleaner to be able to generate it.
I have built the ExportMetadata example code supplied with the trial version of SAML2.0. We like the software and are ready to purchase once this test is successful. I’m using the following command line to execute ExportMetadata:
ExportMetadata urn:GuideStar:SAML:2.0:IdentityProvider guidestar-idp.cer SAMLTestMetadata.xml
Here’s my saml.config:
<?xml version="1.0"?>
<ServiceProvider Name=“urn:componentspace:ExampleServiceProvider”
AssertionConsumerServiceUrl=“~/SAML/AssertionConsumerService.aspx”
LocalCertificateFile=“sp.pfx”
LocalCertificatePassword=“password”/>
<PartnerIdentityProvider Name=“urn:GuideStar:SAML:2.0:IdentityProvider”
SignAuthnRequest=“false”
WantSAMLResponseSigned=“true”
WantAssertionSigned=“false”
WantAssertionEncrypted=“false”
SingleSignOnServiceUrl=“<a href=“https://samltest.guidestar.org/IdentityProvider/SAML2/SSOService.aspx” “=””><a href=“https:///IdentityProvider/SAML2/SSOService.aspx”“>https:///IdentityProvider/SAML2/SSOService.aspx”
SingleLogoutServiceUrl=“<a href=“https://samltest.guidestar.org/IdentityProvider/SAML2/SLOService.aspx” “=””><a href=“https:///IdentityProvider/SAML2/SLOService.aspx”“>https:///IdentityProvider/SAML2/SLOService.aspx”
PartnerCertificateFile=“guidestar-idp.cer”/>
Here’s the output from execution of ExportMetadata.exe:
D:\Inetpub\SAMLTest\IdentityProvider>ExportMetadata urn:GuideStar:SAML:2.0:IdentityProvider guidestar-idp.cer SAMLTestMetadata.xml
Loading SAML configuration file saml.config.
Loading X.509 certificate file guidestar-idp.cer.
ComponentSpace.SAML2.Exceptions.SAMLConfigurationException: The partner service provider urn:GuideStar:SAML:2.0:IdentityProvider is not configured.
at ComponentSpace.SAML2.Configuration.SAMLConfiguration.GetPartnerServiceProvider(String name)
at ComponentSpace.SAML2.Configuration.MetadataExporter.Export(SAMLConfiguration samlConfiguration, X509Certificate2 x509Certificate, String partnerName)
at ExportMetadata.Program.Main(String[] args)
I’m uncertain as to what the error message means. What configuration is missing?
Appreciate any help.
Update - There is a file in the Identity Provider directory called “saml.config.samltest.guidestar.org”
This file contains:
<?xml version="1.0"?>
<IdentityProvider Name=“urn:GuideStar:SAML:2.0:IdentityProvider”
LocalCertificateFile=“guidestar-idp.pfx”
LocalCertificatePassword=“password”/>
<PartnerServiceProvider Name=“urn:componentspace:ExampleServiceProvider”
WantAuthnRequestSigned=“false”
SignSAMLResponse=“true”
SignAssertion=“false”
EncryptAssertion=“false”
AssertionConsumerServiceUrl=“<a href=“https://samltest.guidestar.org/ServiceProvider/SAML/AssertionConsumerService.aspx” “=””><a href=“https:///ServiceProvider/SAML/AssertionConsumerService.aspx”“>https:///ServiceProvider/SAML/AssertionConsumerService.aspx”
SingleLogoutServiceUrl=“<a href=“https://samltest.guidestar.org/ServiceProvider/SAML/SLOService.aspx” “=””><a href=“https:///ServiceProvider/SAML/SLOService.aspx”“>https:///ServiceProvider/SAML/SLOService.aspx”
PartnerCertificateFile=“sp.cer”/>
The urn in this file is the one that ExportMetadata wants. So now my question is, what determines that this is the correct urn?
Thanks.
ExportMetadata expects the name of the partner provider in your saml.config.
The usage is as follows:
ExportMetadata []
The saml.config file is assumed to be in the current directory.
The should be the name of the partner identity provider ie urn:GuideStar:SAML:2.0:IdentityProvider
I created a saml.config using the configuration you included in this topic.
I then ran:
ExportMetadata.exe urn:GuideStar:SAML:2.0:IdentityProvider SAMLTestMetadata.xml
This correctly generated the SAML metadata.
<md:EntityDescriptor entityID=“urn:componentspace:ExampleServiceProvider” ID=“_af19d6a5-0f9a-4850-8f96-7d62122ed91d” xmlns:md=“urn:oasis:names:tc:SAML:2.0:metadata”>
<md:SPSSODescriptor ID=“_24e9876b-ebd5-46f2-a58a-cacbfbbd9205” protocolSupportEnumeration=“urn:oasis:names:tc:SAML:2.0:protocol” AuthnRequestsSigned=“false” WantAssertionsSigned=“false”>
<md:SingleLogoutService Binding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect” Location=“TODO: URL of SLO service endpoint” />
<md:SingleLogoutService Binding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=“TODO: URL of SLO service endpoint” />
md:NameIDFormaturn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=“TODO: URL of assertion consumer service endpoint” index=“0” isDefault=“true” />
</md:SPSSODescriptor>
</md:EntityDescriptor>
If there’s still an issue, please email support@componentspace.com mentioning this topic and including your saml.config as an email attachment.