IT:AD:SAML:HowTo:Generate the Service Provider Metadata file

When you create a website, you'll have to register it with the IdP/

This entails sending to the IdP a “Metadata” file containing:

The official documentation as to the specs of the file:

• http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf

You'll need

• Create a Cert For SAML Purposes

Assuming that we are working with IT:AD:SSOCircle as our free dev SSO, we have to do the following:

• IT:AD:SSOCircle:HowTo:Generate the Service Provider Metadata file

To complete the following, you'll need:

• CONNECTOR IDP ENTITY ID
• PUBLIC SAML CERT CONTENT
• IDP URL

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<EntityDescriptor xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance"
    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
    entityID="CHANGEME_TO_CONNECTOR_IDP_ENTITY_ID">
  <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <!-- public saml cert -->
          <ds:X509Certificate>CHANGEME_TO_PUBLIC_SAML_CERT_CONTENT</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>

    <!-- Supported Name Identifier Formats -->
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>

    <!-- POST binding and location=idp url -->
    <SingleSignOnService 
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
      Location="CHANGEME_TO_IDP_URL" />

  </IDPSSODescriptor>
</EntityDescriptor>

Src: https://support.symplified.com/entries/23713738-How-do-I-create-a-SAML-XML-metadata-file-

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="box.net" cacheDuration="PT1440M" ID="_nGWaGfROSwANIsmeGrF9L_U6R5">
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <ds:Reference URI="#_nGWaGfROSwANIsmeGrF9L_U6R5">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
        <ds:DigestValue>qbGiFQmKnLY2Zg1rOdmmwk55wBA=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
<ds:SignatureValue>
KhWHkku2A9YLjLNiqBI27Y5dR1ZGQoqI2AG8Nsg9c/7u24YOJuUmxuKZt+yFHTyYVJ7/y7TuFXvp
he6YxtbGOSgGvj2F6c07cCFS0lMYRyD0st7qmo7wSZy4+Zq69FIh85vNFCWtW/7k8CLMfjFfPHdL
AxXh2RNxbvwwtoA3gG51VcLhQsfFupxrHOiCSvmUb2ZC7AN1msqj4U2OkVR9tmQQAfEyS2zQFhKN
LIxv4gR7lr/G0/MtCEdhRJTl52SEA7YCM4Ejf42gyrzQF9fjOZ0r34wNYZ+XZog/WC4ySJmwUF1k
esYmSRxTKEa9te89jgmrWmYKekbDvlpbc4We+A==
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIDFDCCAfygAwIBAgIGAT9isgqtMA0GCSqGSIb3DQEBBQUAMEoxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJDQTESMBAGA1UEBxMJTG9zIEFsdG9zMQwwCgYDVQQKEwNCb3gxDDAKBgNVBAMTA0JveDAg
Fw0xMzA2MjAxNzQ2NDJaGA8yMDUzMDYxMDE3NDY0MlowSjELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
AkNBMRIwEAYDVQQHEwlMb3MgQWx0b3MxDDAKBgNVBAoTA0JveDEMMAoGA1UEAxMDQm94MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAslc1cDScqOy32qc4zDJN7Bkjvb3EnAFpS5AuU16I
w3NmtwJfTWJwx7qnyWd+MBzsOEypI7PaA/2KXELFN1qXwdfSVKegv0tJ/sKCQKBJS/7MVHvTpv3O
y9GxMU0RsJud1KdjZk3Z1NFY/BAEx4lisnkD9X84dIjBHjH4Gm4iApcHVeIOE1hVr3rn3X4b4qNB
6RTCdCw5DkSieIjru/rzWr7lDR1xNLZh742bzNM5cktKM0hn8u9xJN+voY5t1/YHpFUSM221/p+1
1V8e/CGX/wBEAJWcOFpPycaEnfuep5ccA1xxYek5o0VI7y4jjVdgxgVV7EERS1G6XEkxrxudawID
AQABMA0GCSqGSIb3DQEBBQUAA4IBAQCBBXHaruJu/R9NaBKWMskliaR0KtrLFT41C6FUw7XXznvm
nNGfY6eyMeAt/BkqXFqBfAPt86GtJUk2W/RfeKQEs1kABkicxxw8GiujXZffi8qFz4jdt1rX6m7n
A2ZJojj3E4hhsTjNF5scvnSfs5UxyoWvg4YNSa0DcoWoCQnFD7KpYow29BaTc/Jbyasx5XnMdFAE
YTi0JjNtt/LHQ3cfWYj0PZ7+3gmwNfbRsh3wMUU+Ia2yUBZhP0wfkTMR70lt7RIFCE2Gp/CL7mma
tHTkd5yqEcRtkbjvCJcpqsD3ri7WBIg2dGEphsf2gqSUEgTDyfBNnBpGWAIwlHrfpJBu
</ds:X509Certificate>
</ds:X509Data>
      <ds:KeyValue>
        <ds:RSAKeyValue>
<ds:Modulus>
slc1cDScqOy32qc4zDJN7Bkjvb3EnAFpS5AuU16Iw3NmtwJfTWJwx7qnyWd+MBzsOEypI7PaA/2K
XELFN1qXwdfSVKegv0tJ/sKCQKBJS/7MVHvTpv3Oy9GxMU0RsJud1KdjZk3Z1NFY/BAEx4lisnkD
9X84dIjBHjH4Gm4iApcHVeIOE1hVr3rn3X4b4qNB6RTCdCw5DkSieIjru/rzWr7lDR1xNLZh742b
zNM5cktKM0hn8u9xJN+voY5t1/YHpFUSM221/p+11V8e/CGX/wBEAJWcOFpPycaEnfuep5ccA1xx
Yek5o0VI7y4jjVdgxgVV7EERS1G6XEkxrxudaw==
</ds:Modulus>
          <ds:Exponent>AQAB</ds:Exponent>
        </ds:RSAKeyValue>
      </ds:KeyValue>
    </ds:KeyInfo>
  </ds:Signature>
  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDFDCCAfygAwIBAgIGAT9isgqtMA0GCSqGSIb3DQEBBQUAMEoxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJTG9zIEFsdG9zMQwwCgYDVQQKEwNCb3gxDDAKBgNVBAMTA0JveDAgFw0xMzA2MjAxNzQ2NDJaGA8yMDUzMDYxMDE3NDY0MlowSjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlMb3MgQWx0b3MxDDAKBgNVBAoTA0JveDEMMAoGA1UEAxMDQm94MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAslc1cDScqOy32qc4zDJN7Bkjvb3EnAFpS5AuU16Iw3NmtwJfTWJwx7qnyWd+MBzsOEypI7PaA/2KXELFN1qXwdfSVKegv0tJ/sKCQKBJS/7MVHvTpv3Oy9GxMU0RsJud1KdjZk3Z1NFY/BAEx4lisnkD9X84dIjBHjH4Gm4iApcHVeIOE1hVr3rn3X4b4qNB6RTCdCw5DkSieIjru/rzWr7lDR1xNLZh742bzNM5cktKM0hn8u9xJN+voY5t1/YHpFUSM221/p+11V8e/CGX/wBEAJWcOFpPycaEnfuep5ccA1xxYek5o0VI7y4jjVdgxgVV7EERS1G6XEkxrxudawIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQCBBXHaruJu/R9NaBKWMskliaR0KtrLFT41C6FUw7XXznvmnNGfY6eyMeAt/BkqXFqBfAPt86GtJUk2W/RfeKQEs1kABkicxxw8GiujXZffi8qFz4jdt1rX6m7nA2ZJojj3E4hhsTjNF5scvnSfs5UxyoWvg4YNSa0DcoWoCQnFD7KpYow29BaTc/Jbyasx5XnMdFAEYTi0JjNtt/LHQ3cfWYj0PZ7+3gmwNfbRsh3wMUU+Ia2yUBZhP0wfkTMR70lt7RIFCE2Gp/CL7mmatHTkd5yqEcRtkbjvCJcpqsD3ri7WBIg2dGEphsf2gqSUEgTDyfBNnBpGWAIwlHrfpJBu</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:ArtifactResolutionService isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://sso.services.box.net/sp/ARS.ssaml2" index="0" />
    <md:SingleLogoutService Location="https://sso.services.box.net/sp/SLO.saml2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" />
    <md:SingleLogoutService Location="https://sso.services.box.net/sp/SLO.saml2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" />
    <md:SingleLogoutService Location="https://sso.services.box.net/sp/SLO.saml2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" />
    <md:SingleLogoutService Location="https://sso.services.box.net/sp/SLO.ssaml2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" />
    <md:AssertionConsumerService isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sso.services.box.net/sp/ACS.saml2" index="0" />
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://sso.services.box.net/sp/ACS.saml2" index="1" />
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://sso.services.box.net/sp/ACS.saml2" index="2" />
  </md:SPSSODescriptor>
  <md:ContactPerson contactType="administrative">
    <md:Company>Box.net</md:Company>
    <md:GivenName>Box</md:GivenName>
    <md:SurName>Support</md:SurName>
    <md:EmailAddress>business-support@box.com</md:EmailAddress>
  </md:ContactPerson>
</md:EntityDescriptor>

Src: https://app.box.com/shared/3isa8qvvqn

## Resources ##

• https://support.symplified.com/entries/23713738-How-do-I-create-a-SAML-XML-metadata-file-
• http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf