We run an ADFS server and we tried to import metadata generated with
the AdminUI, and the ADFS service cannot import :
element. We'd like to know if there's a possibility to not export this
Policy Server 12.8
On one hand, you might have a solution by customizing the export data
file by removing by script the tag :
<ns1:X509IssuerName>CN=DigiCert Global CA G2,O=DigiCert Inc,C=US</ns1:X509IssuerName>
then as bash it would be :
# egrep -v 'X509IssuerSerial|X509IssuerName|X509SerialNumber' ADFS-TEST-CUS-IDP-LOCALMetadata.xml > export.xml
The export.xml will have everything except the above section. You
might check if this will affect the signature of the exported data.
On the other hand, WS-FED uses the SAML 2.0 but brings more
functionality. And SAML 2.0 mentions the usage of "X509IssuerSerial"
but it is not mandatory as Indirect Key Reference :
Indirect Key References
The indirect approach involves describing a public key for use as
input to a separatelycontrolled trust evaluation process. This is
common to commercial SAML implementations, and may include a wide
range of approaches to representing a key, including key "names"
using <ds:KeyName> or <ds:X509Subject> elements, certificate
references using the <ds:X509IssuerSerial> element, or an actual
certificate that is subjected to additional validation using other
rules defined outside of metadata.
As such, SiteMinder WS-FED partnership offers the funtionality to
remove that tag by checking this box :
"Ignore Issuer details when exporting metadata" checkbox
where this functionality doesn't exist for other Partnership types.