Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: SAML IDP XML Requirements

App Control: SAML IDP XML Requirements

Environment

  • App Control Server: All Supported Versions

Question

What information needs to be in the included in the XML provided by an Identity Provider (IdP) for use by App Control?

Answer

XML must contain:
  • the <EntityDescriptor> field containing the entityID of the IdP.
  • the signing <KeyDescriptor> field which will contain the signing certificate information.
  • the encryption <KeyDescriptor> field which will contain the encryption certificate information
  • the <EncryptionMethod> field that should correspond with the certificates used
  • a mix of the following fields (information may vary depending on IDP configuration)
    • <SingleLogoutService>
    • <ManageNameIDService>
    • <NameIDFormat>
    • <SingleSignOnService>
    • <ArtifactResolutionService>

Additional Notes

  • Certificate information should be a base64 encoded block
  • Example XML File from an Identity Provider:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID="https://your_idp.fqdn.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>
					Signing cert data here
                   </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </KeyDescriptor>
        <KeyDescriptor use="encryption">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>
					Encryption cert data here
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc">
                <xenc:KeySize xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">128</xenc:KeySize>
</EncryptionMethod>
        </KeyDescriptor>
        <ArtifactResolutionService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://your_idp.fqdn.com:443/sso/ArtifactResolver/metaAlias/publicidp"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://your_idp.fqdn.com:443/sso/IDPSloRedirect/metaAlias/publicidp" ResponseLocation="https://your_idp.fqdn.com:443/sso/IDPSloRedirect/metaAlias/publicidp"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://your_idp.fqdn.com:443/sso/IDPSloPost/metaAlias/publicidp" ResponseLocation="https://your_idp.fqdn.com:443/sso/IDPSloPost/metaAlias/publicidp"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://your_idp.fqdn.com:443/sso/IDPSloSoap/metaAlias/publicidp"/>
        <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://your_idp.fqdn.com:443/sso/IDPMniRedirect/metaAlias/publicidp" ResponseLocation="https://your_idp.fqdn.com:443/sso/IDPMniRedirect/metaAlias/publicidp"/>
        <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://your_idp.fqdn.com:443/sso/IDPMniPOST/metaAlias/publicidp" ResponseLocation="https://your_idp.fqdn.com:443/sso/IDPMniPOST/metaAlias/publicidp"/>
        <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://your_idp.fqdn.com:443/sso/IDPMniSoap/metaAlias/publicidp"/>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://your_idp.fqdn.com:443/sso/SSORedirect/metaAlias/publicidp"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://your_idp.fqdn.com:443/sso/SSOPOST/metaAlias/publicidp"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://your_idp.fqdn.com:443/sso/SSOSoap/metaAlias/publicidp"/>
        <NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://your_idp.fqdn.com:443/sso/NIMSoap/metaAlias/publicidp"/>
    </IDPSSODescriptor>
</EntityDescriptor>

 

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎01-29-2019
Views:
1655
Contributors