Issues exporting metadata

book

Article ID: 198399

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We run an ADFS server and we tried to import metadata generated with
the AdminUI, and the ADFS service cannot import :

   "<ns1:X509IssuerSerial>"

element. We'd like to know if there's a possibility to not export this
tag ?

 

Environment

 

Policy Server 12.8

 

Resolution

 

On one hand, you might have a solution by customizing the export data
file by removing by script the tag :

ADFS-TEST-CUS-IDP-LOCALMetadata.xml

                    <ns1:X509IssuerSerial>
                        <ns1:X509IssuerName>CN=DigiCert Global CA G2,O=DigiCert Inc,C=US</ns1:X509IssuerName>
                        <ns1:X509SerialNumber>2606277510559012320643122472095982688</ns1:X509SerialNumber>
                    </ns1:X509IssuerSerial>

then as bash it would be :

  # egrep -v 'X509IssuerSerial|X509IssuerName|X509SerialNumber' ADFS-TEST-CUS-IDP-LOCALMetadata.xml > export.xml

The export.xml will have everything except the above section. You
might check if this will affect the signature of the exported data.

On the other hand, WS-FED uses the SAML 2.0 but brings more
functionality. And SAML 2.0 mentions the usage of "X509IssuerSerial"
but it is not mandatory as Indirect Key Reference :

  Indirect Key References

    The indirect approach involves describing a public key for use as
    input to a separatelycontrolled trust evaluation process. This is
    common to commercial SAML implementations, and may include a wide
    range of approaches to representing a key, including key "names"
    using <ds:KeyName> or <ds:X509Subject> elements, certificate
    references using the <ds:X509IssuerSerial> element, or an actual
    certificate that is subjected to additional validation using other
    rules defined outside of metadata.

  https://www.oasis-open.org/committees/download.php/51890/SAML%20MD%20simplified%20overview.pdf

As such, SiteMinder WS-FED partnership offers the funtionality to
remove that tag by checking this box :

   "Ignore Issuer details when exporting metadata" checkbox

where this functionality doesn't exist for other Partnership types.