Versions Compared

Old Version 20

changes.mady.by.user André Klaver

Saved on

compared with

New Version Current

changes.mady.by.user Thijs Kinkhorst

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: fix wrong namespace

...

Code Block
languagexml
titleExample of a metadata file with SAML
<?xml version="1.0"?>
<md:EntitiesDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:mdui="urn:oasis:names:tc:SAML:2.0:metadata:ui" ID="CORTO6d017189c6bcd01c19935006ce6b32e89e29b4a3"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#CORTO6d017189c6bcd01c19935006ce6b32e89e29b4a3"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>L8ANkHPH4msXsIUFptAMeNTuMzQ=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>kSE6aUY74Y1P/B6ZDY4s6F3AEpCv0t/z9fyyhUmPZctfshkiyK53vz8lKfmgiUlOk2c4+dXVPlVQqzeVgW2lDKycdWhkjSQnybBNPrBYlvlEPMJHO4p83IEOMGXh7yS6a8OjNc9qLTikVQnxwfV3xAZGxZ0AZVSJM9WhkqRMJGAK7xMcttM77cIy06ZRpNDb5e36Fb6dLHHAJ3JICd9CEHqdP3WKB2rO2wDGxrkIx/6ynnM1YCFbWvpGU+dGT6/r7YTU9q89UdU2cYMTP1t4KSl/BOMJflnwlAEmFxcxn4FGKny9cRpzhu0nvmtk02cK8T/pYboWWEqG6ooTIEM3Yw==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate></ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
<md:EntityDescriptor validUntil="2012-05-31T22:00:00Z" entityID="https://test.test.nl"><md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://engine.surfconext.nl/authentication/sp/consume-assertion/7f301d787aa6ea235a8b86434d39aa41" index="1"/></md:SPSSODescriptor></md:EntityDescriptor>
<md:EntityDescriptor validUntil="2012-06-01T10:36:28Z" entityID="http://www.surf.nl/test"><md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:Extensions><mdui:DisplayName xml:lang="en">SURFnet BV - This IdP is for testing only</mdui:DisplayName><mdui:DisplayName xml:lang="nl">SURFnet BV - This IdP is for testing only</mdui:DisplayName><mdui:Description xml:lang="en">SURFnet BV - This IdP is for testing only</mdui:Description><mdui:Description xml:lang="nl">SURFnet BV - This IdP is for testing only</mdui:Description><mdui:Logo height="60" width="120">https://wayf.surf.nl/federate/surfnet/img/logo/surfnet.png</mdui:Logo><mdui:Keywords xml:lang="en">SURFNET</mdui:Keywords><mdui:Keywords xml:lang="nl">SURFNET</mdui:Keywords></md:Extensions><md:KeyDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" use="signing"><ds:KeyInfo><ds:X509Data><ds:X509Certificate></ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" use="encryption"><ds:KeyInfo><ds:X509Data><ds:X509Certificate></ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://engine.surfconext.nl/authentication/idp/single-sign-on/dedd75c2157a751113666d7888b2f2cd"/></md:IDPSSODescriptor></md:EntityDescriptor>

Line 3 contains the Service Provider metadata of 'https://test.test.nl', line 4 the metadata for a coupled connected Identity Provider in SURFconext (SURFnet Test IdP). For simplicity the remainder of the XML metadata is omitted.

...

 Just expand the list with more IdPs from the SURFconext metadata, and you have created your own WAYF selection page.


OpenID Connect

We also support your own WAYF when When you use OpenID Connect, you can create a custom WAYF using the "login_hint" query parameter when calling the authorize endpoint. You can add the IdP entityID as value for this parameter. The entityID's of the connected institutions can be found in the published SAML IdPs metadata. For test, this metadata can be found here: https://metadata.test.surfconext.nl/idps-metadata.xml . For production, you can find it here: https://metadata.surfconext.nl/idps-metadata.xml (see also the remark above under 2.a.).
Once you have extracted the IdP entityID, you can use it like this (here we do the authorize request for the IdP with entityID: http://mock-idp):

Code Block
https://connect.test.surfconext.nl/oidc/authorize?login_hint=http%3A%2F%2Fmock-idp&scope=openid&response_type=code&redirect_uri=https%3A%2F%2Foidc-playground.test.surfconext.nl%2Fredirect&state=example&nonce=example&client_id=playground_client&response_mode=query


The oidc-playground can be used to test the login_hint parameter.

Your service specific metadata

We can create a metadata link for you that will give an up-to-date overview of IdP's connected to your service. Let's take https://the.entityid.of.yourservice.com as an example of an EntityID you need to generate this metadata. You can access the generated metadata as follows:

  • https://metadata.surfconext.nl/sp/https%253A%252F%252Fthe.entityid.of.yourservice.com

Notice the markup. You can create this using the shell command:

  • echo $EntityID | sed -e 's#:#%253A#g' | sed -e 's#/#%252F#g'

Prepend result with  "https://metadata.surfconext.nl/sp/https" to the result. For our testenvironment use "https://metadata.test.surfconext.nl/sp/https"

If you want to make use of this, send us a mail with motivation to support@surfconext.nl. The documentation on this will be added here soon. In the mean time, send a mail to support@surfconext.nl so we can help you get going.