Try OpenEdge Now
skip to main content
Administration
REST Administration : REST Management Agent and REST Web Application Security Configurations : Using SAML in security configurations : Creating and configuring the Service Provider metadata
 
Creating and configuring the Service Provider metadata
For each REST Web application (Service Provider), a metadata file must be generated and sent to all the Identity Providers that the user (Principal) wants to register with. A Service Provider metadata contains keys, services, and URLs that define its SAML endpoints.
Note: You can generate a Service Provider metadata file by using the SAML Spring security configuration filter <security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>. This is not supported by an OpenEdge REST Web application. Therefore, you must manually create a Service Provider metadata file.
To manually create and configure a Service Provider metadata file:
1. Extract the $DLC/servlets/rest/saml.jar file from the $DLC/servlets/rest/ directory, and then copy the contents to the WEB-INF folder of your REST Web application.
2. Create a new service provider metadata file for your Web application.
Note: You must generate your Service Provider metadata as expected by your Identity Provider.
The following is a sample Service Provider metadata file:
<!-- This is a demo Service Provider metadata file -->
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="<Entity ID>">
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate><Certificate information></ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="<Location ID>" index="0" isDefault="true"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
The Service Provider metadata file contains the following definitions (highlighted in bold in the previous codeblock):
metadata
Description
entityId
Specify the unique identity of the REST Web application (Service Provider).
AuthnRequestsSigned
Specify if the REST Web application (Service Provider) signs authentication requests.
WantAssertionsSigned
Specify if the REST Web application requires signed assertions.
Certificate
Specify the certificate that must be used by the IdP to register the Service Provider. This can either be a self-signed or a Certificate Authority (CA) signed certificate.
Binding
Specify the bindings to be included in the metadata for the WebSSO profile. Supported values are POST, Artifact, and PAOS. The order of bindings in the property determines the order of endpoints in the generated metadata.
If the IdP does not require keys signed by a specific certification authority, then you can generate your own self-signed key using the Java utility “keytool”.
Note: The binding location does not have to be SSL-enabed.
3. Save and close the Service Provider metadata file.
Note: This metadata file is used to register the service provider with the IdP.