JBoss Identity supports SAML2 Metadata profile.
Configure the metadata profile at the IDP
Create a web application for the IDP metadata. In the web.xml, the following should be present:
<?xml version="1.0" encoding="ISO-8859-1"?> <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5"> <display-name>IDP Metadata</display-name> <description> Metadata for the IDP </description> <servlet> <servlet-name>metadata</servlet-name> <servlet-class>org.jboss.identity.federation.bindings.servlets.MetadataServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>metadata</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> </web-app>
In the WEB-INF folder, you will need a jboss-idfed.xml with
<JBossIDP xmlns="urn:jboss:identity-federation:config:1.0" AssertionValidity="20000" RoleGenerator="somefqn" Encrypt="true"> <IdentityURL>http://localhost:8080/idp</IdentityURL> <Trust> <Domains>localhost,jboss.com,jboss.org</Domains> </Trust> <KeyProvider ClassName="org.jboss.identity.federation.bindings.tomcat.KeyStoreKeyManager"> <Auth Key="KeyStoreURL" Value="jbid_test_keystore.jks" /> <Auth Key="KeyStorePass" Value="store123" /> <Auth Key="SigningKeyPass" Value="test123" /> <Auth Key="SigningKeyAlias" Value="servercert" /> <SigningAlias>servercert</SigningAlias> <ValidatingAlias Key="localhost" Value="servercert"/> <ValidatingAlias Key="127.0.0.1" Value="servercert"/> </KeyProvider> <MetaDataProvider ClassName="org.jboss.identity.federation.bindings.providers.FileBasedEntityMetadataProvider"> <Option Key="FileName" Value="WEB-INF/idp-metadata.xml"/> </MetaDataProvider> </JBossIDP>
Both the Trust and KeyProvider elements are optional.
You will need the MetaDataProvider element.
You will need to provide the entire metadata xml in idp-metadata.xml in the WEB-INF folder of your web app.
An example:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://IdentityProvider.com/SAML"> <IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <ArtifactResolutionService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://IdentityProvider.com/SAML/Artifact"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://IdentityProvider.com/SAML/SLO/SOAP"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://IdentityProvider.com/SAML/SLO/Browser" ResponseLocation="https://IdentityProvider.com/SAML/SLO/Response"/> <NameIDFormat> urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName </NameIDFormat> <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:persistent </NameIDFormat> <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:transient </NameIDFormat> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://IdentityProvider.com/SAML/SSO/Browser"/> <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://IdentityProvider.com/SAML/SSO/Browser"/> <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" FriendlyName="eduPersonPrincipalName"> </saml:Attribute> <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" FriendlyName="eduPersonAffiliation"> <saml:AttributeValue>member</saml:AttributeValue> <saml:AttributeValue>student</saml:AttributeValue> <saml:AttributeValue>faculty</saml:AttributeValue> <saml:AttributeValue>employee</saml:AttributeValue> <saml:AttributeValue>staff</saml:AttributeValue> </saml:Attribute> </IDPSSODescriptor> </EntityDescriptor>
Configuring the SP for metadata
It is similar to the IDP configuration. You will need to maybe create a sp-metadata.xml and appropriately configure the jboss-idfed.xml
General Notes
- The implementation is a servlet that serves standard metadata (that does not change often)
- By default, the metadata provider is a file based provider that just serves a standard file that you have created (idp-metadata.xml or sp-metadata.xml). The name of the file can be anything as long as the jboss-idfed.xml is updated.
Comments