Hi,
I try to implement between our Id Provider and our ADFS, 3 relying party trusts following the users from websites are in our LDAP1 and/or our LDAP2 (see figure below)
following the post https://www.componentspace.com/Forums/Topic51.aspx, in the Global.asax, we setup the SAMLConfiguration
List connectors = new List() { “LDAP1”, “LDAP2”, “LDAP12” };
#region Manage SAML configuration
SAMLConfiguration samlConfiguration;
foreach (var connector in connectors)
{
samlConfiguration = new SAMLConfiguration();
samlConfiguration.LocalServiceProviderConfiguration = new LocalServiceProviderConfiguration()
{
Name = $“{WebConfigurationManager.AppSettings[“URL”]}{connector}”,
Description = $“ID Provider for {connector}”,
AssertionConsumerServiceUrl = $“~/{connector}/AssertionConsumerService”,
LocalCertificateFile = @“\sp.pfx",
LocalCertificatePassword = "**”
};
samlConfiguration.AddPartnerIdentityProvider(new PartnerIdentityProviderConfiguration()
{
Name = WebConfigurationManager.AppSettings[“PartnerIdP”],
Description = $“ADFS - {connector}”,
SignAuthnRequest = true,
SignLogoutRequest = true,
WantSAMLResponseSigned = false,
WantAssertionSigned = true,
WantAssertionEncrypted = true,
WantLogoutRequestSigned = true,
DigestMethod = “<a href=“http://www.w3.org/2001/04/xmlenc#sha256",">http://www.w3.org/2001/04/xmlenc#sha256”,
SignatureMethod = “<a href=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",">http://www.w3.org/2001/04/xmldsig-more#rsa-sha256”,
SingleSignOnServiceBinding = “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”,
SingleSignOnServiceUrl = WebConfigurationManager.AppSettings[“PartnerIdPUrl”].ToLower(),
SingleLogoutServiceUrl = WebConfigurationManager.AppSettings[“PartnerIdPUrl”].ToLower(),
PartnerCertificateFile = “BA5EC074B3F54.cer”
});
SAMLController.Configurations[connector] = samlConfiguration;
}
#endregion
But I have an issue when I try to generate the federationmetadata.xml to excchange with ADFS.
To export the federationmetadata.xml, I used the following code based on your sample
foreach (var configKey in C.SAMLController.Configurations.Keys)
{
string partnerName = C.SAMLController.Configurations[configKey].PartnerIdentityProviderConfigurations.Keys.First();
EntityDescriptor entityDescriptor = MetadataExporter.Export(C.SAMLController.Configurations[configKey], partnerName);
string assertionConsumerServiceUrl = createAbsoluteURL($”~/{configKey}/AssertionConsumerService”);
string singleLogoutServiceUrl = createAbsoluteURL($“~/{configKey}/SLOService”);
entityDescriptor.SPSSODescriptors[0].AssertionConsumerServices.Clear();
entityDescriptor.SPSSODescriptors[0].AssertionConsumerServices.Add(new IndexedEndpointType(C.SAMLIdentifiers.BindingURIs.HTTPPost, assertionConsumerServiceUrl, null, 0, true));
entityDescriptor.SPSSODescriptors[0].SingleLogoutServices.Clear();
entityDescriptor.SPSSODescriptors[0].SingleLogoutServices.Add(new EndpointType(C.SAMLIdentifiers.BindingURIs.HTTPRedirect, singleLogoutServiceUrl, null));
entityDescriptor.SPSSODescriptors[0].SingleLogoutServices.Add(new EndpointType(C.SAMLIdentifiers.BindingURIs.HTTPPost, singleLogoutServiceUrl, null));
// Convert the SAML metadata to XML ready for downloading.
XmlElement metadataElement = entityDescriptor.ToXml();
// Download the SAML metadata.
string filePath = Server.MapPath($@“~\App_Data\Integration\Metadata\federationmetadata{configKey}.xml”);
using (XmlTextWriter xmlTextWriter = new XmlTextWriter(filePath, Encoding.UTF8))
{
xmlTextWriter.Formatting = Formatting.Indented;
metadataElement.Ownerdocument.Save(xmlTextWriter);
}
}
The issue is, if SAMLController.Configurations has 1 configuration, the federationmetadata.xml contains the X509 certificate, but if SAMLController.Configurations contains more than 1 configuration (3 for my case), the federationmetadata.xml have no X509 data.
First question, is it possible to implement more than 1 relying party trust between Provider and ADFS ?
Second question, is it the good method to export federationmetadata.xml
Regards,
Olivier
(Sorry for my english, but I’m French)
Hi Olivier
This may be a bug in the metadata export API.
Please enable SAML trace and send the generated log file to support@componentspace.com mentioning this forum post.
https://www.componentspace.com/Forums/17/Enabing-SAML-Trace
There is no reason why you can’t implement multiple relying party trusts with ADFS.
Your English is perfectly fine!
Thanks for your answer. I sent you the log file as requested by mail.
Regards,
Thank you for the log.
Immediately prior to calling MetadataExporter.Export, please set the SAMLController.ConfigurationID property to the ID of the SAML configuration.
C.SAMLController.ConfigurationID = configKey;
EntityDescriptor entityDescriptor =
MetadataExporter.Export(C.SAMLController.Configurations[configKey], partnerName);