Command Options for smfedexport

Federation Security Services Guide › Use SAML 2.0 Provider Metadata To Simplify Configuration › SiteMinder SAML 2.0 Metadata Tools Overview › Command Options for smfedexport

Command Options for smfedexport

The smfedexport command line options are listed in the table that follows:

Option	Description	Values
-acs	Assertion Consumer Service URL	URL
-acsindex	Assertion Consumer Service index value	integer
-acsisdef	Makes the immediately preceding Assertion Consumer Service the default.	none
-acsbinding	SAML protocol binding for the Assertion Consumer Service.	ART (for artifact) POST (for POST) PAOS (for Reverse SOAP - ECP)
-ars	Artifact Resolution Service	URL
-entityid	Represents the ID of the SP or IDP whose metadata you are exporting	URI
-expiredays	Days until the metadata document is no longer valid	integer, 0 is the default A value of 0 indicates that the metadata document has no expiration and results in no "validUntil" elements being generated in the exported XML
-fwsurl	URL pointing to the FWS application.	URL in the form http://host:port
-input	Full path to an existing XML file	string, no default
-output	Full path to an output XML file	Default values: IDPSSODescriptor.xml SPSSODescriptor.xml
-password	SiteMinder Administrator name Requires the -username option	string, no default
-pubkey	Tells the Policy Server to include the certificate (public key) in the metadata. The partner site uses the public key for signature encryption and verification. This setting is optional because the metadata must not be signed.	true, if present false otherwise
-reqsignauthr	Require signed AuthnRequests	true, if present false otherwise
-schemebase	Points to an existing Service Provider. The settings for the profiles/bindings are taken from this provider. Requires the following options: -fwsurl -username -password	authentication scheme name
-spbase	Points to an existing Service Provider. The settings for the profiles/bindings are taken from this provider. Requires the following options: -fwsurl -username -password	Service Provider Name
-sign	Indicates whether the Policy Server signs the metadata. This setting is optional.	true, if present false, otherwise
-sigalg	Designates the signature hashing algorithm SiteMinder uses to for signing assertions and assertion responses, single logout requests and responses	rsawithsha1 rsawithsha256
-signauthr	Indicates whether the SP signs AuthnRequests	true, if present false, otherwise
-signingcertalias	Specifies the alias associated with the key/certificate pair that signs the metadata. The pair must be stored in the smkeydatabase. This setting is an alternative to the default alias, defaultenterpriseprivatekey. If you do not enter a value for this option, the Policy Server uses the defaultenterpriseprivatekey alias to sign the metadata.	alias name
-slo	Single Logout Service URL	URL
-slobinding	HTTP binding used for single logout. HTTP Redirect binding is the only option.
-sso	Single sign-on service URL	URL
-ssobinding	SSO Service URL protocol binding	REDIR (for web SSO) SOAP (for ECP)
-type (Required)	Entity type of the export file	saml2idp sam2sp
-username	The SiteMinder Administrator name, which requires the -password option.	string, no default

smfedexport Tool Examples

Example: Exporting an Identity Provider

smfedexport -type saml2idp -entityid http://www.myidp.com/idp1 
-expiredays 30 -sign -pubkey -slohttpredir http://www.mysite.com
/affwebservices/public/saml2slo -reqsignauthr 
-ssoart http://www.mysite.com/affwebservices/public/saml2sso 
-artressvc http://www.mysite.com/affwebservices/
saml2artifactresolution -output myidpdescription.xml

Example: Exporting a Service Provider

smfedexport -type saml2sp -entityid http://www.myidp.com/sp1
-expiredays 30 -sign -pubkey -slohttpredir http://www.mysite.com/
affwebservices/public/saml2slo -signauthr -aconsvcpost 
http://www.mysite.com/affwebservices/public/saml2assertionconsumer
-aconsvcpostindex 12345 -output myidpdescription.xml

Example: Modifying and Signing an Exported Data File

In this example, you are modifying and digitally signing an XML file using the smfedexport.

To modify and sign a metadata file

Edit the existing XML file using an XML editor.

Enter the following command:

smfedexport -sign -infile file -output file

For example:

smfedexport -sign -infile myspdescription.xml -output newspdescription.xml

To modify an exported file that is already digitally signed

Edit the existing XML file using an XML editor as need.
Delete the <Signature> element from the file.

Enter the following command:

smfedexport -sign -infile file -output file

For example:

smfedexport -sign -infile myspdescription.xml -output newspdescription.xml

Import Metadata Tool

You can use the import tool for the following tasks:

Create a SAML 2.0 authentication scheme for a Service Provider, as shown in the following illustration.
Create a SAML 2.0 Service Provider object for an Identity Provider.