Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: SAML IDP XML Requirements

App Control: SAML IDP XML Requirements

Environment

  • App Control Server: All Supported Versions
  • Windows OS: All Supported Server Versions

Question

  • What pieces of information need to be in the imported XML to add an IDP to App Control?

Answer

XML must contain:
  • the <EntityDescriptor> field containing the IDPs entityID
  • the signing <KeyDescriptor> field which will contain the signing certificate information
  • the encryption <KeyDescriptor> field which will contain the encryption certificate information
  • the <EncryptionMethod> field that should correspond with the certificates used
  • a mix of the following fields (information may vary depending on IDP configuration)
    • <SingleLogoutService>
    • <ManageNameIDService>
    • <NameIDFormat>
    • <SingleSignOnService>
    • <ArtifactResolutionService>

Additional Notes

  • Certificate information should be a base64 encoded block
  • Example XML File supplied by engineering:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID="https://your_idp.fqdn.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="
      XML-Signature Syntax and Processing
    ;
                <ds:X509Data>
                    <ds:X509Certificate>
					Signing cert data here
                   </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </KeyDescriptor>
        <KeyDescriptor use="encryption">
            <ds:KeyInfo xmlns:ds="
      XML-Signature Syntax and Processing
    ;
                <ds:X509Data>
                    <ds:X509Certificate>
					Encryption cert data here
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
            <EncryptionMethod Algorithm="XML Encryption Syntax and Processing;
                <xenc:KeySize xmlns:xenc="XML Encryption Syntax and Processing;
</EncryptionMethod>
        </KeyDescriptor>
        <ArtifactResolutionService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://your_idp.fqdn.com:443/sso/ArtifactResolver/metaAlias/publicidp"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://your_idp.fqdn.com:443/sso/IDPSloRedirect/metaAlias/publicidp" ResponseLocation="https://your_idp.fqdn.com:443/sso/IDPSloRedirect/metaAlias/publicidp"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://your_idp.fqdn.com:443/sso/IDPSloPost/metaAlias/publicidp" ResponseLocation="https://your_idp.fqdn.com:443/sso/IDPSloPost/metaAlias/publicidp"/>
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://your_idp.fqdn.com:443/sso/IDPSloSoap/metaAlias/publicidp"/>
        <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://your_idp.fqdn.com:443/sso/IDPMniRedirect/metaAlias/publicidp" ResponseLocation="https://your_idp.fqdn.com:443/sso/IDPMniRedirect/metaAlias/publicidp"/>
        <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://your_idp.fqdn.com:443/sso/IDPMniPOST/metaAlias/publicidp" ResponseLocation="https://your_idp.fqdn.com:443/sso/IDPMniPOST/metaAlias/publicidp"/>
        <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://your_idp.fqdn.com:443/sso/IDPMniSoap/metaAlias/publicidp"/>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://your_idp.fqdn.com:443/sso/SSORedirect/metaAlias/publicidp"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://your_idp.fqdn.com:443/sso/SSOPOST/metaAlias/publicidp"/>
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://your_idp.fqdn.com:443/sso/SSOSoap/metaAlias/publicidp"/>
        <NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://your_idp.fqdn.com:443/sso/NIMSoap/metaAlias/publicidp"/>
    </IDPSSODescriptor>
</EntityDescriptor>

 

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎01-29-2019
Views:
1047
Contributors