Fail to import metadata into wamui

book

Article ID: 200960

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running an AdminUI and when we import Metadata file for an
Entity, the AdminUI identifies automatically the Entities as "WSFED
Resource Partner" and "WSFED Identity provider", and not as "SAML2 IdP"
as we would like. 

Why do we see that way in the AdminUI ?

 

Environment

 

AdminUI 12.8SP3 on Redhat 7;

Policy Server 12.8SP3 on Redhat 7;

 

Resolution

 

At first glance, both Partnership types "SAML2 IdP" and "WS-FED" are
differents even if they share some common parameters.

According to OASIS, the RoleDescriptors tag identifies the protocol in
use (protocolSupportEnumeration) :

SAML V2.0 Metadata Guide

  2.13 Roles

    Below the <EntityDescriptor>, the main information unit is the
    "role". An <EntityDescriptor> contains one or more <RoleDescriptors>,
    which is a super-type for roles such as <IDPSSODescriptor> and
    <AttributeAuthorityDescriptor> in the case of metadata about IdPs and
    <SPSSODescriptor> in the case of metadata about SPs.  One important
    piece of information common to all role elements is the
    protocolSupportEnumeration attribute, which MUST be present. This
    attribute contains a space-delimited collection of URIs that represent
    general classes of protocol support for the role in question. There
    are URIs defined by the various standards and profiles to represent
    the fact that an entity acting in a role "supports" a particular
    protocol family, such as SAML 2.0.

https://www.oasis-open.org/committees/download.php/51890/SAML%20MD%20simplified%20overview.pdf

The export.xml file reports protocolSupportEnumeration attribute all related
to WS-FED :

  <RoleDescriptor xsi:type="fed:ApplicationServiceType"
   protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512
   http://schemas.xmlsoap.org/ws/2005/02/trust
   http://docs.oasis-open.org/wsfed/federation/200706"
   ServiceDisplayName="myadfs.mydomain.com"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706">

  <RoleDescriptor xsi:type="fed:SecurityTokenServiceType"
  protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512
  http://schemas.xmlsoap.org/ws/2005/02/trust
  http://docs.oasis-open.org/wsfed/federation/200706"
  ServiceDisplayName="myadfs.mydomain.com"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706">

Note that WS-FED is handled differently in SiteMinder, which includes
functionalities which aren't present in the SAML2 partnership :

  Issues exporting metadata

    On the other hand, WS-FED uses the SAML 2.0 but brings more
    functionality. And SAML 2.0 mentions the usage of "X509IssuerSerial"
    but it is not mandatory as Indirect Key Reference :

      Indirect Key References

 The indirect approach involves describing a public key for use as
 input to a separatelycontrolled trust evaluation process. This is
 common to commercial SAML implementations, and may include a wide
 range of approaches to representing a key, including key "names"
 using <ds:KeyName> or <ds:X509Subject> elements, certificate
 references using the <ds:X509IssuerSerial> element, or an actual
 certificate that is subjected to additional validation using other
 rules defined outside of metadata.

      https://www.oasis-open.org/committees/download.php/51890/SAML%20MD%20simplified%20overview.pdf

    As such, SiteMinder WS-FED partnership offers the funtionality to
    remove that tag by checking this box :

       "Ignore Issuer details when exporting metadata" checkbox

    where this functionality doesn't exist for other Partnership types.

  https://knowledge.broadcom.com/external/article?articleId=198399

SAML Token Type is SAML2 and this is related to :

    <fed:TokenTypesOffered>
      <fed:TokenType Uri="urn:oasis:names:tc:SAML:2.0:assertion"/>
      <fed:TokenType Uri="urn:oasis:names:tc:SAML:1.0:assertion"/>
    </fed:TokenTypesOffered>

which is WS-FED related :

  Web Services Federation Language (WS-Federation) Version 1.2

    3.1.8 TokenTypesOffered Element

  https://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174951