We're running an AdminUI and when we import Metadata file for an
Entity, the AdminUI identifies automatically the Entities as "WSFED
Resource Partner" and "WSFED Identity provider", and not as "SAML2 IdP"
as we would like.
Why do we see that way in the AdminUI ?
AdminUI 12.8SP3 on Redhat 7;
Policy Server 12.8SP3 on Redhat 7;
At first glance, both Partnership types "SAML2 IdP" and "WS-FED" are
differents even if they share some common parameters.
According to OASIS, the RoleDescriptors tag identifies the protocol in
use (protocolSupportEnumeration) :
SAML V2.0 Metadata Guide
2.13 Roles
Below the <EntityDescriptor>, the main information unit is the
"role". An <EntityDescriptor> contains one or more <RoleDescriptors>,
which is a super-type for roles such as <IDPSSODescriptor> and
<AttributeAuthorityDescriptor> in the case of metadata about IdPs and
<SPSSODescriptor> in the case of metadata about SPs. One important
piece of information common to all role elements is the
protocolSupportEnumeration attribute, which MUST be present. This
attribute contains a space-delimited collection of URIs that represent
general classes of protocol support for the role in question. There
are URIs defined by the various standards and profiles to represent
the fact that an entity acting in a role "supports" a particular
protocol family, such as SAML 2.0.
https://www.oasis-open.org/committees/download.php/51890/SAML%20MD%20simplified%20overview.pdf
The export.xml file reports protocolSupportEnumeration attribute all related
to WS-FED :
<RoleDescriptor xsi:type="fed:ApplicationServiceType"
protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512
http://schemas.xmlsoap.org/ws/2005/02/trust
http://docs.oasis-open.org/wsfed/federation/200706"
ServiceDisplayName="myadfs.mydomain.com"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706">
<RoleDescriptor xsi:type="fed:SecurityTokenServiceType"
protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512
http://schemas.xmlsoap.org/ws/2005/02/trust
http://docs.oasis-open.org/wsfed/federation/200706"
ServiceDisplayName="myadfs.mydomain.com"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706">
Note that WS-FED is handled differently in SiteMinder, which includes
functionalities which aren't present in the SAML2 partnership :
Issues exporting metadata
On the other hand, WS-FED uses the SAML 2.0 but brings more
functionality. And SAML 2.0 mentions the usage of "X509IssuerSerial"
but it is not mandatory as Indirect Key Reference :
Indirect Key References
The indirect approach involves describing a public key for use as
input to a separatelycontrolled trust evaluation process. This is
common to commercial SAML implementations, and may include a wide
range of approaches to representing a key, including key "names"
using <ds:KeyName> or <ds:X509Subject> elements, certificate
references using the <ds:X509IssuerSerial> element, or an actual
certificate that is subjected to additional validation using other
rules defined outside of metadata.
https://www.oasis-open.org/committees/download.php/51890/SAML%20MD%20simplified%20overview.pdf
As such, SiteMinder WS-FED partnership offers the funtionality to
remove that tag by checking this box :
"Ignore Issuer details when exporting metadata" checkbox
where this functionality doesn't exist for other Partnership types.
https://knowledge.broadcom.com/external/article?articleId=198399
SAML Token Type is SAML2 and this is related to :
<fed:TokenTypesOffered>
<fed:TokenType Uri="urn:oasis:names:tc:SAML:2.0:assertion"/>
<fed:TokenType Uri="urn:oasis:names:tc:SAML:1.0:assertion"/>
</fed:TokenTypesOffered>
which is WS-FED related :
Web Services Federation Language (WS-Federation) Version 1.2
3.1.8 TokenTypesOffered Element
https://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174951