Wednesday, February 22, 2012

SAML metadata


Metadata is information used in the SAML protocol to expose the configuration of a SAML entity, like a SP or IdP. Metadata define things like what service is available, addresses and certificates. Metadata is defined in XML. A SP uses the Metadata to know how to communicate with the IdP and vise versa.

Metadata is exchanged beetween the SP and the IDP. There is no protocol how the exchange is done, but there are no secret information in the metadata so the XML can be freely distributed by mail or published in clear text on the Internet.
It is however highly recommended that the metadata is protected from unauthorized modification, this could be a good start on a Man-In-The-Middle attack.
The integrity of the Metadata could be protected using for example digital signatures or by transporting the metadata using some secure channel(USB, VPN etc)

A metadata file for a SAML Web Browser SSO Profile IdP could for example contain the following.

  • Location of its Single Sing On service, Artifact Resolution Service and Single Logout Service.
  • An ID identifying the provider.
  • Signature of the metadata and public keys for verifying and encrypting further communication.

The file usually include information about if the IdP want the communication signed or encrypted.

A metadata file for the SP would contain pretty much the same but instead of Artifact Resolution Service have the location of its Assertion Consumer Service.

Metadata could contain lots of other information. For a full description have a look at the SAML specifications http://saml.xml.org/saml-specifications

Here is an example of metadata from IdP and SP. Usually these files can be generated by the application handling the SAML comunication.

IdP












======= Digest value for mata data ========



===============  Meta data signatur =============




===============  Public key for meta data signatur ============= 





            
                
                    
===============  Public key for verifying signatures =============                     
                
            
        
        
            
                
                    
===============  Public key for encrypting data =============                     
                
            
            
                128
            
        
        
        
        urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
        urn:oasis:names:tc:SAML:2.0:nameid-format:transient
        
    





SP
The SP metadata is not signed, simply because the metadata example I had wasn't signed.






===============  Public key for verifying signatures =============








===============  Public key for encrypting data ============= 




urn:oasis:names:tc:SAML:2.0:nameid-format:transient

23 comments:

  1. Its really good information :). I was looking for this for long time in google

    ReplyDelete
  2. Hi Stefan,
    I am new to SAML 2 implementation . I have a question regarding metadata. Is it necessary for IDP and SP to share there metadata.
    I mean is it required that IDP should use the metadata of SP for implementation. Is it required somewhere in the implementation process where IDP have to use metadata of SP.

    ReplyDelete
  3. Yes, they should exchange metadata. The metadata tells them how to talk to eachother. Ofcource you could hardcode this information in OpenSAML but this is not according to SAML specs

    ReplyDelete
  4. Hi Stefan, thanks for your response. I have one more question , in service provider metadata, which part of the xml defines the roles for service provider . I am looking for a specific role 'Attribute Requester' . How can i define this role in my metadata i.e. using which element .

    ReplyDelete
    Replies
    1. I have not tried this so I will refer you to the metadata spec http://www.oasis-open.org/committees/download.php/35391/sstc-saml-metadata-errata-2.0-wd-04-diff.pdf. I would appreciate you posting the answer if you find it.

      Delete
  5. This comment has been removed by the author.

    ReplyDelete
  6. Hi Stefan,
    I guess i framed the question incorrectly but i did get the answer for it .
    So it is nothing different but this is how i understood it.
    If element 'SPSSODescriptor' has following child elements than it is a Attribute Requester. Which is basically the whole point of SAML , sharing of data along with single sign on .
    Child Elements
    "
    -AttributeConsumingService
    --RequestedAttribute
    "
    Thanks for your help and great post

    ReplyDelete
  7. This comment has been removed by a blog administrator.

    ReplyDelete
  8. This comment has been removed by a blog administrator.

    ReplyDelete
  9. Hi Stefan,

    Great Post!!! Will appreciate your comments on the following

    1. Should a SP implement a SingleLogoutService?. If implemented is it used by IDP to issue a logout request when another SP particpating in a session has logged out?
    2. Why should a SP provide a signing/encryption key to IDP? Should we sign and encrypt the messages sent to IDP

    Thanks

    ReplyDelete
    Replies
    1. 1. To implement the SLO the SP must also hava a SingleLogoutService. Yes, this service is used by the IDP to logout a user when SLO is initiated by another SP, or by the IDP itself.

      2. If encryption and signing is to be used is as far as I understand optional. It it highly recommended though that the messages be secured in some way. This can also be via a secured channel like HTTPS. When I have done SAML integrations I have seen the following signing ecnryption regime. AuthnRequests signed, Artifact request and response signed, Assertsions encrypted and everything runs over HTTPS. In SLO request and response is signed and over HTTPS. In my opinion this is a good and solid way to secure the communication

      Delete
  10. http://mylifewithjava.blogspot.in/search/label/Metadata
    Should we generate metadata manually or by using program (as u mention in the above link).?

    Which one is preferable.You told in the stack overflow that metadata is common for all the IdP. ref : http://stackoverflow.com/questions/21160486/service-provider-implementation-using-open-saml-java/21234352#21234352
    can you tell me that If its common for all type of IdPs, then what is the need of generating metadata programmatic l? Thanks in advance..

    ReplyDelete
    Replies
    1. We might have a missunderstanding here, metadata is not common for all IDPs, but normaly the IDPs metadata is the same for all its SPs. What metadata is it that you need. Is it the IDP metadata or the SP metadata. And what are you building? The SP or the IDP?

      Delete
  11. I am implementing SP.So obviously metadata for SP.
    is Metadata sharing between a pair of entity(SP and IdP) one time operation ?

    ReplyDelete
    Replies
    1. Ok, you can use OpenSAML to generate metadata or you can just write it by hand, its just an XML. The exchange is a onetime operation

      Delete
  12. This comment has been removed by the author.

    ReplyDelete
    Replies
    1. Its typo..Refer the full question in my next comment.sorry for the removal.

      Delete
  13. Hi Rasmusson ,
    How to generate my personal X509Certificate ? I have to insert that in the metadata of SP
    And I am having the SP at my local host , how can the outside people will contact me Because I have to provide the Location attribute in AssertionConsumerService Role right..

    ReplyDelete
    Replies
    1. If you just want a certificate for testing, you can create a self signed certificate using openssl try this for example http://stackoverflow.com/questions/10175812/how-to-build-a-self-signed-certificate-with-openssl, Yes they will find you with the value in AssertionConsumerService. If you have many more questions you can start a chat with me here http://wizpert.com/stefanrasmusson

      Delete
  14. Hi Stefan, first I want to congratulate you for the information you post on SAML I have long been looking for all this information and finally Ecuentro something that is of great help, now I come to the following it happens that I have to implement a project with SAML but can not find information on how to specify who is an IDP, perhaps they can explain a bit like to say that is an IDP or where this property is set, I am waiting for a prompt answer and already thank you for your attention.

    ReplyDelete