search cancel

Fail to import metadata into wamui


Article ID: 200960


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER



We're running an AdminUI and when we import Metadata file for an
Entity, the AdminUI identifies automatically the Entities as "WSFED
Resource Partner" and "WSFED Identity provider", and not as "SAML2 IdP"
as we would like. 

Why do we see that way in the AdminUI ?




AdminUI 12.8SP3 on Redhat 7;

Policy Server 12.8SP3 on Redhat 7;




At first glance, both Partnership types "SAML2 IdP" and "WS-FED" are
differents even if they share some common parameters.

According to OASIS, the RoleDescriptors tag identifies the protocol in
use (protocolSupportEnumeration) :

SAML V2.0 Metadata Guide

  2.13 Roles

    Below the <EntityDescriptor>, the main information unit is the
    "role". An <EntityDescriptor> contains one or more <RoleDescriptors>,
    which is a super-type for roles such as <IDPSSODescriptor> and
    <AttributeAuthorityDescriptor> in the case of metadata about IdPs and
    <SPSSODescriptor> in the case of metadata about SPs.  One important
    piece of information common to all role elements is the
    protocolSupportEnumeration attribute, which MUST be present. This
    attribute contains a space-delimited collection of URIs that represent
    general classes of protocol support for the role in question. There
    are URIs defined by the various standards and profiles to represent
    the fact that an entity acting in a role "supports" a particular
    protocol family, such as SAML 2.0.

The export.xml file reports protocolSupportEnumeration attribute all related
to WS-FED :

  <RoleDescriptor xsi:type="fed:ApplicationServiceType"

  <RoleDescriptor xsi:type="fed:SecurityTokenServiceType"

Note that WS-FED is handled differently in SiteMinder, which includes
functionalities which aren't present in the SAML2 partnership :

  Issues exporting metadata

    On the other hand, WS-FED uses the SAML 2.0 but brings more
    functionality. And SAML 2.0 mentions the usage of "X509IssuerSerial"
    but it is not mandatory as Indirect Key Reference :

      Indirect Key References

 The indirect approach involves describing a public key for use as
 input to a separatelycontrolled trust evaluation process. This is
 common to commercial SAML implementations, and may include a wide
 range of approaches to representing a key, including key "names"
 using <ds:KeyName> or <ds:X509Subject> elements, certificate
 references using the <ds:X509IssuerSerial> element, or an actual
 certificate that is subjected to additional validation using other
 rules defined outside of metadata.

    As such, SiteMinder WS-FED partnership offers the funtionality to
    remove that tag by checking this box :

       "Ignore Issuer details when exporting metadata" checkbox

    where this functionality doesn't exist for other Partnership types.

SAML Token Type is SAML2 and this is related to :

      <fed:TokenType Uri="urn:oasis:names:tc:SAML:2.0:assertion"/>
      <fed:TokenType Uri="urn:oasis:names:tc:SAML:1.0:assertion"/>

which is WS-FED related :

  Web Services Federation Language (WS-Federation) Version 1.2

    3.1.8 TokenTypesOffered Element