SiteMinder provides a metadata tool to import and export SAML 2.0 metadata programmatically. Metadata lets you efficiently exchange federation configurations between a site that uses SiteMinder and a partner that uses a third party or SiteMinder. Programmatic use of SAML 2.0 metadata can limit how much configuration that you perform.
The Policy Server installs the metadata tool. The two command-line utilities that make up the SiteMinder metadata tools are smfedexport and smfedimport
Exporting metadata involves the following types of input:
Importing metadata involves:
You can use the export tool in the following situations:
Use the tool to produce a metadata file containing information about profiles that the Identity Provider supports. This XML output that the export tool generates describes the Identity Provider. Sites acting as Service Providers can import this metadata file to establish a relationship with the Identity Provider.
A SiteMinder Identity Provider generates a metadata file from an existing Service Provider object. The use of the Service Provider object reduces the amount of required data that a user must configure. Many of the settings for the Identity Provider metadata file can be derived from the existing Service Provider. Also,SiteMinder provides the default names of the servlets.
To use the metadata file, the existing relationship between the Identity Provider and the Service Provider is similar to the relationship you are establishing.
The SSO and SLO servlet URLs are the default servlet names that are prepended with the IP address and port of the Federation Web Services application.
The servlet names are:
Identifies the web server and port hosting the Web Agent Option Pack or SPS federation gateway.
A SiteMinder Service Provider can facilitate federation with sites acting as Identity Providers by producing a metadata file containing information about the profiles it supports. An Identity Provider can import the metadata file to establish a relationship with the Service Provider.
A SiteMinder Service Provider generates a metadata file from an existing SAML 2.0 Authentication Scheme object. The use of the Service Provider object reduces the amount of required data that a user must configure. Many of the settings for the SP metadata file can be derived from the existing SAML 2.0 authentication scheme. SiteMinder provides the default names of the servlets.
To use the metadata file, the existing relationship between the Service Provider and the Identity Provider must be similar to the relationship you are establishing. The SSO and SLO servlet URLs are the default servlet names that are prepended with the IP address and port of the Federation Web Services application.
The servlets are:
Identifies the web server and port hosting the Web Agent Option Pack or SPS federation gateway.
The following illustration shows a metadata file that is generated only from user input.
The following illustration shows a metadata file that is generated from a combination of user input and data from an existing Service Provider object.
The smfedexport tool lets you export SAML 2.0 metadata to an XML file.
If you enter smfedexport without any command arguments, all the command arguments and their usage are displayed.
To run the smfedexport tool
Note: Command arguments enclosed in square brackets [] are optional.
To export a SAML 2.0 Identity Provider metadata file:
smfedexport -type saml2idp [-entityid <entityid>] [-expiredays <num>] [-fwsurl <FWS Location> [-spbase <spname>] -username <SiteMinder Admin Name> -password <SiteMinder Admin Password>]][-sign][-pubkey] [-slo <SLO Service Location> -slobinding <REDIR>] [-reqsignauthr] [-sso <SSO Service Location> -ssobinding <REDIR|SOAP>] [-ars <Artifact Resolution Service Location>][-output <file>]
To export a SAML 2.0 Service Provider metadata file:
smfedexport -type saml2sp [-entityid <entityid>] [-expiredays <num>] [-fwsurl <FWS Location> [-schemebase <Auth Scheme name> -username <SiteMinder Admin Name> -password <SiteMinder Admin Password>]] [-sign][-pubkey][-slo <SLO Service Location> -slobinding <REDIR>] [-signauthr][-acs <Assertion Consumer Service> -acsbinding <ART|POST|PAOS> -acsindex <num>][-acsisdef]][-output <file>]
To sign an existing Metadata document:
smfedexport -type (saml2sp|saml2idp) -sign -input <file> -output <file>
After you run the tool, an XML file will be produced. If the -type option is set to saml2idp, the default output file name is IDPSSODescriptor.xml. If the -type option is set to saml2sp, the default output file name is SPSSODescriptor.xml.
After smfedexport processes the initial command options, the tool prompts you for additional data that is related to the type of export file the tool is generating. Any optional arguments that you do not enter use default values.
Note: If you are creating an IdP metadata file, you must have at least one single sign-on service defined in the smfedexport command. If you are creating an SP metadata file, you must have at least one assertion consumer service defined in the smfedexport command.
|
Copyright © 2012 CA.
All rights reserved.
|
|