After deploying Keycloak 3.4 SAML adapter (as tomcat valve for instance), I am looking for the proper way to get SP XML metadata file generated from certificate and services URL.
A question about exporting Keycloak IdP XML metadata is answered but I found no equivalent for SP metadata.
Note: I am used to export such SP metadata from OIOSAML, Shibboleth and Spring Security SAML, and find it strange Keycloak does not document it.
If you have your SP registered in a keycloak server instance there is an endpoint. See org.keycloak.broker.saml.getSPDescriptor()
I am afraid that there is no way of getting it directly from the SP. You always can use org.keycloak.saml.SPMetadataDescriptor.getSPDescriptor() as a helper for building it.
Me I end creating a template from another installation (WebLogic).
Hope it helps,
Luis
In the client, choose the 'Installation' tab. At 'Format options' choose 'SAML Metadata SPSSODescriptor'.
Related
We have recently migrated to a new hosting environment so have installed a fresh instance of Shibboleth. When we generate sp metadata files, the urls are non-secure (ie http) even though the url used to generate the metadata uses https.
When using the test connection from our own Azure AD system, we see the obvious error: "The reply URL specified in the request does not match the reply URLs configured for the application:"
I have limited knowledge of configuring the system beyond working on shibboleth2.xml and attribute-map.xml so would be very grateful if anyone can point me in the right direction to fix this.
I'm not sure if you managed to configure it but i'm currently working on this as well, and i think i can help.
So the ReplyURL you need to provide in the Azure Portal, is the reply URL that accepts the authentiaction reply message from the identity provider.
In the case of Shibboleth it is:
http[s]://yoursitename/Shibboleth.SSO/Auth/Saml
So if your webpage is for instance:
https://localhost/Foo
The replyURL should be:
https://localhost/Shibboleth.SSO/Auth/Saml
Notice that the page "Foo" is not in the replyURL.
After the authentication the browser should send the IDP reply to https://localhost/Shibboleth.SSO/Auth/Saml, after which Shibboleth should redirect you back to https://localhost/Foo
At least that's the default behaviour.
I am trying to integrate SAML authentication for SuiteCRM 7.8.5 version. Have set up the Login URL, SLO URL and X509 Certificate in the Password Management page.I also have a Shibboleth IDP installed on another server and need the metadata of the SuiteCRM installtion to configure there. I have been going through the suitecrm forums and also tried to make some connection with the sugarcrm docs to find out the url/location for getting the metadata xml. But so far no luck.
Is there any url that will give the metadata?
Any help is greatly appreciated.
Thanks
There is no metadata xml automatically generated unfortunately, you will need to craft your own but the key information you need is:
AssertionConsumerService = "https://yourcrm.com/index.php?action=Login&module=Users"
SingleLogoutService = "https://yourcrm.com/index.php?action=Login&module=Users"
NameIDFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
nameidattribute = "uid"
The login action handles both login and logout when used with SAML. Note the name id attribute you use is equivalent to the users.user_name database field and that is what SuiteCRM will login as.
This has changed in recent versions of SuiteCRM. Metadata are located here: https://suitecrm-domain.tld/index.php?entryPoint=SAML2Metadata
I am using WSO2 5.1 – STS service. With the stsclient (java program) I am making a SAML token request. However, I am not getting the claims details as part of the SAML token response from IS.
The same request is returning the claims when a request is sent to WSO2 IS 5.0.
For SSO requirement Looks like I have to set “Attribute Consuming Service Index”. But not sure where to set this attribute in the SAML request while using the stsclient java program.
This resembles this question but not related to STS.
In your Service Provider's SAML configuration, you have to make sure following two checkboxes are checked.
Enable Attribute Profile
Include Attributes in the Response Always
Then, inside the Claim Configuration section of the Service Provider, you have to add the particular user claims that you wish to receive in SAML response as the Requested Claims.
Then you should be able to receive the user claims in SAML response, provided that user's profile already contains values for these claims.
Refer [1] for more details.
[1] http://tharindue.blogspot.com/2016/08/retrieving-user-claims-in-saml-response.html
In PingFederate, I know that we can export the metadata as a XML file, but is there an URL that I can call to access it?
OpenAM and ADFS seem to have such functionality, e.g.
http../openam/saml2/jsp/exportmetadata.jsp?entityid=myentity
http../FederationMetadata/2007-06/FederationMetadata.xml
Does PingFederate provide such functionality?
[update 4/6/16]
PingIdentity added this functionality in 8.1:
PingFederate publishes metadata: https://documentation.pingidentity.com/pingfederate/pf81/index.shtml#pf_c_connectionfederationmetadata.html
PingFederate retrieves metadata: https://documentation.pingidentity.com/pingfederate/pf81/index.shtml#adminGuide/pf_t_manageMetadataUrls.html
Previous answer: PingFed doesn't currently have this functionality built in beyond turning on Auto-Connect. It is a current feature request.
PingFederate version 8.0.4 also has this feature to export metadata as an IDP and also as a SP.
You can select a connection to add the attribute contract and signature.
It's in Server Configuration -> Metadata Export
I am trying to configure openam as Identity provider to test my SAML
based service provider application.
I have searched a lot and saw documentation of openam. There are lots
of thing supported by openam which probably I do not need at this
moment. I don't wish to read whole documentation which will take lot
of time reading things I do not want to test right now. I even saw
chatpet 9 "Managing SAML 2.0 SSO" at
http://docs.forgerock.org/en/openam/10.0.0/admin-guide/index/index.html
But it requires lot of things to be configured before this.
Is there any quick start guide to test it as saml based IdP?
EDIT
Not a quick, detailed is also fine. But I want OpenAm as Identity provider. SP is an application hosted on Jetty which we have developed. Also tell me what changed do I have to make on SP like what urls of application should respond with what.
There is no one-fits-all answer to your question really. Setting up SAMLv2 Federation largely depends on the actual SP implementation, some SPs can work with SAML metadata, some don't..
The simplest way to set up federation between two OpenAM instances for reference would be something like:
Create Hosted IdP wizard on node1
Create Hosted SP wizard on node2
On both nodes remove the persistent NameID-Format, so both will have transient at the top of the list
Register Remote SP wizard on node1, with URL: node2/openam/saml2/jsp/exportmetadata.jsp
Register Remote IdP wizard on node2, with URL: node1/openam/saml2/jsp/exportmetadata.jsp
On node2 in the Hosted SP setting set the transient user to "anonymous"
After all this you can test Federation by using:
/openam/spssoinit?metaAlias=/sp&idpEntityID=node1_entityid on node2
/openam/idpssoinit?metaAlias=/idp&spEntityID=node2_entityid on node1
I've used the default metaAlias values, but those should be visible on the console pages. Similarly by downloading the metadata you can see the actual entity IDs for the given entities.
Based on this, you should see now that with an OpenAM IdP you could at least test SAML support using the idpssoinit URL (if your SP supports unsolicited responses), but from the other way around it pretty much depends on your SP implementation how you need to actually trigger a SAML authentication.
This seems like a simple setup.