One of our web app would like to connect with ADFS 2.0 server to get credential token and check the user roles based on that. The ADFS server admin asked us to give them a federation metadata XML file to let them create Relying Party Trusts. I googled and only find how to download the ADFS server's federation metadata XML using URL - https://[adfs server name]/federationmetadata/2007-06/federationmetadata.xml
But could didn't find any guide to create a federation metadata XML for creating "Relying Party Trust" and "Claims Provider Trusts". Is there a tools for creating those metadata files? Please share some idea for how to create.
Thanks
Lu
Answer my own question:
I found the Federation Utility tools in WindowsIdentityFoundation-SDK-4.0 at http://www.microsoft.com/en-ca/download/details.aspx?id=4451 will do it.
Actually the URL is
https://server/federationmetadata/2007-06/federationmetadata.xml
There are no tools that I an aware of.
You can use the Microsoft.IdentityModel.Protocols.WSFederation.Metadata class or refer Generating Federation Metadata Dynamically.
Have a look at
"Thinktecture.IdentityServer.v2 / src / Libraries / Thinktecture.IdentityServer.Protocols / FederationMetadata" over at Thinktecture.IdentityServer.v2.
Or if your application uses WIF it's in the metadata directory.
Update:
In WIF, unless you want to the token to be encrypted, you don't need the certificate. That's more for the ADFS side as it has to sign the token and the app. needs the public key to verify.
Example:
<?xml version="1.0" encoding="utf-8"?>
<EntityDescriptor ID="_5b6cd05c-a5e3-470d-a2fc-6c6f66633d1b" entityID="http://localhost/app/" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<RoleDescriptor xsi:type="fed:ApplicationServiceType" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<fed:ClaimTypesRequested>
<auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />
<auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />
</fed:ClaimTypesRequested>
<fed:TargetScopes>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://localhost/app/</Address>
</EndpointReference>
</fed:TargetScopes>
<fed:PassiveRequestorEndpoint>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://localhost/app/</Address>
</EndpointReference>
</fed:PassiveRequestorEndpoint>
</RoleDescriptor>
</EntityDescriptor>
where localhost\app\ needs to be your app's URL. Note end slash!
I had to do this recently, having never used .Net or ADFS before, and having only the server (STS) metadata URL that I was trying to integrate with. I had a basic Windows 10 PC and was trying to set up a Node.js webapp as an RP. This is what I did:
On the Win 10 PC, went to Control Panel -> Programs and Features -> Turn Windows features on or off -> Enable Windows Identity Foundation 3.5
Installed Windows Identity Foundation SDK 4.0 (as referred to by the original author).
Created a basic Web.config file which contained:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
</system.web>
</configuration>
In the SDK installation directory, I found FedUtil.exe and FedUtilSampleUserInput.xml. The sample file explained all the parameters that FedUtil.exe was going to ask for, which was very helpful.
Launched FedUtil.exe as Administrator (right-click in File Explorer), providing the Web.config file I just created, the webapp URL, the server (STS) metadata URL as the "existing STS", and selecting to create a new default certificate.
Lo and behold, a FederationMetadata.xml file was generated and my Web.config file was updated automatically.
I then un-commented some of the claim types in the updated Web.config file and re-ran FedUtil.exe, which then updated my FederationMetadata.xml with the additional claim types that I needed from the STS (e.g., email, given name, surname)
Provided the FederationMetadata.xml to the STS admin, which worked!
Only downside is that this all required a Windows machine ... I'm not sure what I would have done on Mac or Linux!
For creating SAML RP Metadata there is a web based tool available at samltool.com which can help out. I haven't found one for WS-Federation other than the Federation Utility...
I also recently discovered the site rcFederation which supports AD FS / WS-Federation
Metadata xml for creating "Replaying party trust" is not ADFS federation metadta, but SP (Saml issuer)'s metadata xml.
Related
Expected Result:
IIS hosts my app correctly, and when I navigate to the url of my app (e.g: blabla/swagger) I see the swagger UI describing my app
Problem:
When I try to navigate to my app it says:
HTTP Error 500.19 - Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid.
Information
I built an app in .net core 2.0 and I am able to make it run through visual studio, being hosted by Kestrel.
However I need to deploy this app to different servers and since Kestrel doesn't support host names, I need to make it being hosted in IIS . When I make it run through Kestrel I am able to access it correctly and by navigating to the url/swagger address, I am able to see the correct swagger page that describes the app.
My app is being published from visual studio. Which means in its published folder there are all the dlls that the app needs. It's being published as a framework dependent app, not a standalone one, but this shouldn't matter.
How to replicate the problem
Since I need this one day to be hosted in IIS inside a Docker container, I am trying to make it being hosted in IIS with powershell scripts. What I did to make it being hosted in IIS is:
New-Website -Name 'myTestApp' -force -Port 8080 -PhysicalPath
'C:\Users\myUser\Desktop\Docker\PublishOutput' -ApplicationPool 'MyAppPoolTest'
Where C:\Users\myUser\Desktop\Docker\PublishOutput is the path to the published folder where Visual Studio publishes the app. Thanks in advance!
This is the web.config generated by Visual studio when publishing:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\Friss.CaseApi.Web.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" />
</system.webServer>
</configuration>
<!--ProjectGuid: 313d542d-7676-4440-ae1b-22c6071f4309-->
And the error page is:
Am I setting the web.config in the wrong way?
Check the documentation here
You need to publish your website and then point IIS website to the published folder
Application pool must be set to No Managed code
Application Pool identity user IIS AppPool\{AppPoolName} must have read permissions on the published website folder
Found the solution,
the system requires the dotnet core windows hosting bundle. The bundle installs the .NET Core Runtime, .NET Core Library, and the ASP.NET Core Module.
Documentation: https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/?view=aspnetcore-2.1&tabs=aspnetcore2x
Direct download to the bundle for .netcore 2.0.6 that solved my problem:https://download.microsoft.com/download/8/D/A/8DA04DA7-565B-4372-BBCE-D44C7809A467/DotNetCore.2.0.6-1-WindowsHosting.exe
I have an azure web app. Now, I am trying to install shibboleth service provider for my web app.
I found a way to do this though this blog.
Is there any other way to set up shibboleth sp without installing a VM on azure?
I have searched a lot on web but all they show is to set up SSO in azure using Azure active directory as IdP.
Is there any way to configure my external Idp to web app in azure?
SSL is the first layer of defense for an SSO web application. Thus you must obtain an SSL certificate for your web site’s URL.
The biggest trick seems to be configuring Azure and Visual Studio to not get confused between the remote desktop certificate and the SSL certificate. The Azure instructions for configuring SSL you could refer to.
Here are the most important points as below:
1.You will need to have the certificate in a PFX file so it can be uploaded to Azure. This PFX file must contain the certificate’s private key! You will also need the certificate thumbprint.
2.Modify the cloud service’s service definition and service configuration files.
3.Upload the SSL certificate to your cloud service application.
4.Now the SSL-modified cloud service application needs to be uploaded to Azure.
5.Browse to your web site using HTTPS. Fingers crossed! It should work but HTTP should be rejected.
If you need to set up a test IdP, Microsoft has produced a series of videos on how to do this.
Of course there is the Shibboleth IdP documentation at shibboleth.net.
You should also have downloaded the Shibboleth SP 64-bit Windows/IIS 7 MSI file.
Get the latest version from the download site.
Now when you browse to your Azure web site you should be redirected to your IdP’s login page. Once you successfully log in you should be redirected back to your web app. There will now be session variables that contain authentication attributes such as IdP URN, user name, and so on.
For more details, you could refer to this blog.
I am trying to setup Josso2.4 to work as a sign in solution to multiple websites. (Starting with just one).
I have configured my test web site as an "external saml2 service provider" in jooso but this require a "metadata file" and I have been unable to find any documentation for this metadata file format. Is it a standard saml format shared accross all saml implementations?
I found some sample xml files I could import, but i newer found a sample which had sso enabled.
You didn't mention, what you use as service provider. You can use Spring Security SAML and download metadata from special URL, for examle: http://localhost:8080/spring-security-saml2-sample/saml/metadata
See documentation: http://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x-SNAPSHOT/reference/htmlsingle/
In order to view wadl file from my server in an internet browser it's necessary to authenticate.
I would like to test my webservices using soapui however when I add new project and in initial wadl/wsdl I enter path to wadl file on my server the project is created but operations are not listed. How to authenticate user and password in order to get valid wadl?
If you are using a SOAPUI version 4.6.4, there is a bug importing authentication protected wsdl which provokes that the basic credentials prompt is not showed up. You can see more details here.
There is a maintenance build for SOAPUI PRO where this bug is solved: http://www.soapui.org/Downloads/soapui-pro-nightly-builds.html.
The published wsdl of the web-service we work with has a Policy tag.
But after we create a client using wsimport and Netbeans, it would not allow to edit any attributes of WSIT settings. In Apache CXF you can supply the attributes via API. As far as we see, in case of Metro and Netbeans it needs an xml file with the policy attributes set.
Documentation says that those attributes can be edited via Web service client' settings and xml automatically generated. But in our case no WSIT (Security) tab is accessible.
Here, documentation presents how the properties should look like. http://metro.java.net/nonav/1.2/guide/Configuring_Security_Using_NetBeans_IDE.html#gfrds
(Security tab)
Is there any easy way to provide the client with options as message signing, keystore and trustore (as published service required)?