-
Notifications
You must be signed in to change notification settings - Fork 43
ServiceProvider Element
The <serviceProvider> element contains the configuration information for the Service Provider. It specifies the ID, server, and <endpoints> for the Service Provider. It also can specify nameIdFormats, authnContexts for SAML RequestedAuthnContexts, etc., which may be necessary for some Identity Providers.
The <serviceProvider> element has two attributes that are required:
| Attribute | Use |
|---|---|
| id | The ID of the Service Provider. This must match the Audience in AllowedAudienceUris within the Federation configuration section, and it must be a well formed URI. |
| server | Specifies the URL of the Service Provider. Can be the same as ID. |
The <serviceProvider> element can contain the following elements:
| Element | Use |
|---|---|
| <signingCertificate> | Configuration for finding the certificate for signing purposes. |
| <endpoints> | Configures the various endpoints the service provider exposes. |
| <nameIdFormats> | (Optional) Allows for specifying supported NameIDFormats the service provider supports. |
| <authenticationContexts> | (Optional) Allows for configuration of AuthnContexts the service provider supports. |
The <signingCertificate> element allows for specifying the certificate and store on the hosting server from which to pull the certificate used for signing / encryption, etc.
It allows the following attributes:
| Attribute | Use |
|---|---|
| findValue | The value to use when searching for the certificate using the designated x509FindType |
| storeLocation | The certificate store location. Can be any of the values specified in the StoreLocation enumeration. Typically, "LocalMachine". |
| storeName | The certificate store name. Can be any of the values specified in the StoreName enumeration. Typically, "My". |
| x509FindType | The method by which to identify the certificate. Can be any of the values specified in the X509FindType enumeration. |
It is important to note that the application must have access to the private key of the certificate in the key store. This can be done from mmc.exe and the Certificates snap-in. The private key permissions must be set to allow Read permissions for the identity the App Pool is running under. On IIS7+, this could be the IIS_IUSRS group if you are not running the App Pool under a different identity.
<saml2>
<serviceProvider id="urn:SPName" server="https://www.example.com">
<signingCertificate findValue="CN=MySamlSigningCert" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName" />
</serviceProvider>
</saml2>
Please not that certificates must explicitly be made for signing purposes when they are created. You cannot, for instance, simply reuse most SSL certs for signing purposes. You can use the Microsoft makecert command to generate this and install it to your local machine store. Remember to grant access to the private key in mmc.exe after adding the key.
makecert -r -pe -n "CN=your.site.com" -b 01/01/2014 -e 01/01/2030 -eku 1.3.6.1.5.5.7.3.3 -sky signature -ss my -sr localmachine
Read up on what all the params mean here: http://msdn.microsoft.com/en-us/library/bfsktky3
The <endpoints> element configures the service provider endpoints. This element must always have three <endpoint> elements defined: SignOnEndpoint, LogoutEndpoint, and Metdata endpoint.
Each <endpoint> has the following required attributes:
| Attribute | Use |
|---|---|
| type | Determine the function of the endpoint, and must be one of "SignOn", "Logout" or "Metadata". One ServiceEndpoint of each type must be present. |
| localpath | The address at which the endpoint is located. These should match the locations of the handlers for each type. |
| redirectUrl | The default URL to redirect to after the handler is done executing. |
| index | Used to define the "index" value for the endpoint when generating a metadata document. Required for metadata generation of artifactResolution endpoints. |
The <nameIdFormats> element is an optional element which allows for specifying the NameIdFormats the ServiceProvider supports. It has the following attribute:
| Attribute | Use |
|---|---|
| allowCreate | Controls the "AllowCreate" attribute on SAML requests, which may be required for some implementations. True / false value. |
Note, that while multiple NameIdFormats can be added to this list, only the first is ever sent as part of an AuthnRequest (limitation of the OASIS SAML2 Specification). Other specified NameIdFormats will be output during Metadata creation as the specification allows. Most providers that require this in the AuthnRequest will specify a NameIdFormat to use.
To add NameIdFormats to the collection, use the following syntax:
<saml2>
<serviceProvider id="urn:SPName" server="https://www.example.com">
...
<nameIdFormats allowCreate="true">
<add format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</nameIdFormats>
...
</serviceProvider>
</saml2>
The following NameIdFormats are available as per the OASIS SAML2 Specification:
| NameIdFormat |
|---|
| urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified |
| urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
| urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName |
| urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName |
| urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos |
| urn:oasis:names:tc:SAML:2.0:nameid-format:entity |
| urn:oasis:names:tc:SAML:2.0:nameid-format:persistent |
| urn:oasis:names:tc:SAML:2.0:nameid-format:transient |
The <authenticationContexts> element is an optional element which allows for the Service Provider to specify the authentication contexts that it will accept from the Identity Provider. This controls the "RequestedAuthnContext" element of the SAML request, and may be required by some implementations.
The <authenticationContexts> element exposes the following attribute:
| Attribute | Use |
|---|---|
| comparison | Specifies the comparison method used to evaluate the requested context classes or statements, one of "exact", "minimum", "maximum", or "better". The default is "exact", if omitted. |
To add AuthnContexts to the collection, use the following syntax:
<saml2>
<serviceProvider id="urn:SPName" server="https://www.example.com">
...
<authenticationContexts comparison="Exact">
<add context="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" referenceType="AuthnContextClassRef"/>
</authenticationContexts>
...
</serviceProvider>
</saml2>