We’ve not used assertion encryption and metadata wasn’t required until one of our customer requested.
They’re using a custom IdP and they’ve told us that they need metadata to configure the integration with our app.
Is that possible to generate SAML metadata without certificate?
Extra question:
Should we use assertion encryption? If not is there potential security risk?
Thanks.
You can use the console application ExportMetadata to generate SAML metadata.
You’ll find the project under the Examples\Metadata folder.
The following example generates service provider SAML metadata with no certificates.
No signature or encryption certificates were specified so no certificates were included in the generated metadata.
ExportMetadata.exe
SAML configuration file to export [saml.config]:
X.509 signature certificate file [None]:
X.509 encryption certificate file [None]:
Assertion Consumer Service URL [None]: http://localhost:51901/SAML/AssertionConsumerService.aspx
Single Logout Service URL [None]:
Partner Identity Provider Name [None]:
SAML metadata file [metadata.xml]:
Regarding encrypting the SAML assertion, HTTPS should always be used which means that you have transport at the security level.
In most circumstances this is sufficient for privacy and encrypting the SAML assertion isn’t necessary.
However, if the SAML assertion includes sensitive user information or SAML SSO is being performed in a sensitive environment, you might consider also encrypting the SAML assertion.
[quote][/quote]
You can use the console application ExportMetadata to generate SAML metadata.
You'll find the project under the Examples\Metadata folder.
The following example generates service provider SAML metadata with no certificates.
No signature or encryption certificates were specified so no certificates were included in the generated metadata.
ExportMetadata.exe
SAML configuration file to export [saml.config]:
X.509 signature certificate file [None]:
X.509 encryption certificate file [None]:
Assertion Consumer Service URL [None]: http://localhost:51901/SAML/AssertionConsumerService.aspx
Single Logout Service URL [None]:
Partner Identity Provider Name [None]:
SAML metadata file [metadata.xml]:
Regarding encrypting the SAML assertion, HTTPS should always be used which means that you have transport at the security level.
In most circumstances this is sufficient for privacy and encrypting the SAML assertion isn't necessary.
However, if the SAML assertion includes sensitive user information or SAML SSO is being performed in a sensitive environment, you might consider also encrypting the SAML assertion.
You'll find the project under the Examples\Metadata folder.
The following example generates service provider SAML metadata with no certificates.
No signature or encryption certificates were specified so no certificates were included in the generated metadata.
ExportMetadata.exe
SAML configuration file to export [saml.config]:
X.509 signature certificate file [None]:
X.509 encryption certificate file [None]:
Assertion Consumer Service URL [None]: http://localhost:51901/SAML/AssertionConsumerService.aspx
Single Logout Service URL [None]:
Partner Identity Provider Name [None]:
SAML metadata file [metadata.xml]:
Regarding encrypting the SAML assertion, HTTPS should always be used which means that you have transport at the security level.
In most circumstances this is sufficient for privacy and encrypting the SAML assertion isn't necessary.
However, if the SAML assertion includes sensitive user information or SAML SSO is being performed in a sensitive environment, you might consider also encrypting the SAML assertion.
Thanks for the quick reply. How can i do this programmatically without certificate? Can you provide basic code snippet please?
I suggest taking a look at the source code to the ExportMetadata project.
It includes:
using ComponentSpace.SAML2.Configuration;
EntityDescriptor entityDescriptor = MetadataExporter.Export(
samlConfiguration,
signatureCertificate,
encryptionCertificate,
assertionConsumerServiceURL,
singleLogoutServiceURL,
partnerName);
The signatureCertificate and encryptionCertificate parameters may be null.
The ExportMetadata project also shows how to save the EntityDescriptor to XML.
[quote][/quote]
I suggest taking a look at the source code to the ExportMetadata project.
It includes:
using ComponentSpace.SAML2.Configuration;
EntityDescriptor entityDescriptor = MetadataExporter.Export(
samlConfiguration,
signatureCertificate,
encryptionCertificate,
assertionConsumerServiceURL,
singleLogoutServiceURL,
partnerName);
The signatureCertificate and encryptionCertificate parameters may be null.
The ExportMetadata project also shows how to save the EntityDescriptor to XML.
It includes:
using ComponentSpace.SAML2.Configuration;
EntityDescriptor entityDescriptor = MetadataExporter.Export(
samlConfiguration,
signatureCertificate,
encryptionCertificate,
assertionConsumerServiceURL,
singleLogoutServiceURL,
partnerName);
The signatureCertificate and encryptionCertificate parameters may be null.
The ExportMetadata project also shows how to save the EntityDescriptor to XML.
I've tried this as
var samlConfiguration = new SAMLConfiguration
{
LocalServiceProviderConfiguration = new LocalServiceProviderConfiguration
{
Name = ServerUrl,
AssertionConsumerServiceUrl = "~/account/assertionconsumerservice"
}
};
MetadataExporter.Export(
samlConfiguration,
null,
null,
$"{ServerUrl}/account/assertionconsumerservice",
null,
null);
and outpus was like
is this okay? I've checked a few SP metadata examples and it seem to me there is couple of things missing. e.g:
md:AttributeConsumingServicedo i missing something here?Thanks.
Yes, that’s valid metadata.
It contains the bare minimum information required in a service provider’s metadata.
AttributeConsumingService is not commonly used and is not supported through the MetadataExporter.Export API.
[quote]
[/quote]
Thanks.
You’re welcome.