All geek questions in one place

How to modify WCF FederationMetadata.xml file for various deployments?

We have an ADFS 2.0 installation that works well for our MVC applications in our various environments. I believe that it uses “passive authentication” (I'm still used to the correct terminology) - this is definitely where it redirects the user to our adfs proxy if the user is not logged in and adfs redirects the user back to our application MVC after login.

Now we are starting to reveal some secure web services and want to use the same authentication system. My understanding is that I want to use ws2007FederationHttpBinding as a binding for this. I believe that I have WCF web.config for all the settings, but my struggle is now concentrated around the FederationMetadata.xml file.

Looking at this file, I see some things that obviously need to be changed, for example entityID="http://localhost/UserServices" and the certificate. Then there are some things that I do not know what they are, and if they need to change or not, for example EntityDescriptor ID="_2b510fe8-98b8...... and <ds:SignatureValue>CZe5mEu19/bDNoZrY8f6C559CJ.......

Where can I better understand how I should manage this file for different conditions? I have the following hosting environments for these services, which we will deploy one way or another:

  • Separate developer workstations (3 times, later)
  • Generic Dev environment for people who write applications against these services, but not necessarily modifying the services.
  • OK
  • Phased
  • Production (3 different environments with different certificates / domains, etc.)

Thus, we have a rather optimized process for managing our web.config files in different environments using transformations and searching / replacing some tokens, so I would like to do the same with this XML file. So, ultimately, all I'm looking for is understanding what changes are needed to manage this FederationMetadata.xml file for different environments.

My current FederationMetadata.base.xml file is below, and I BELIEVE that it is correct (I just need names / roles), and I just need to intelligently replace various tokens, for example ~RootServiceUrlTokenToReplace~ , here:

 <?xml version="1.0" encoding="utf-8"?> <EntityDescriptor ID="~EntityDescriptorIdTokenToReplace~" entityID="http://~RootServiceUrlTokenToReplace~" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI="#~ReferenceURITokenToReplace~"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <ds:DigestValue>~DigestValueTokenToReplace~</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>~SignatureValueTokenToReplace~</ds:SignatureValue> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> <X509Certificate>~CertificateTokenToReplace~</X509Certificate> </X509Data> </KeyInfo> </ds:Signature> <RoleDescriptor xsi:type="fed:ApplicationServiceType" protocolSupportEnumeration="http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706"> <KeyDescriptor use="encryption"> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> <X509Certificate>~CertificateTokenToReplace~</X509Certificate> </X509Data> </KeyInfo> </KeyDescriptor> <fed:ClaimTypesRequested> <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" /> <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" /> </fed:ClaimTypesRequested> <fed:TargetScopes> <EndpointReference xmlns="http://www.w3.org/2005/08/addressing"> <Address>http://~RootServiceUrlTokenToReplace~</Address> </EndpointReference> </fed:TargetScopes> <fed:ApplicationServiceEndpoint> <EndpointReference xmlns="http://www.w3.org/2005/08/addressing"> <Address>http://~RootServiceUrlTokenToReplace~</Address> </EndpointReference> </fed:ApplicationServiceEndpoint> </RoleDescriptor> </EntityDescriptor>
+6
source share
2 answers

The application based on WIF FederationMetadata.xml not affiliated with the proposed claims-based web services.

(URL pointing to) FederationMetadata.xml used by AD FS to automatically update the information that will be used by the Trust Trust Party. AD FS may, for example, request this URL regularly and update Trust Trusting Party Trust information accordingly.

Information about the web service (based on claims or otherwise), that is, its metadata, is published as a WSDL document. In a WCF-based service, this is a URL that often looks like this: http://myhost.example.com/appName/serviceName.svc?wsdl . This WSDL document often does not exist as a physical file, but WCF is automatically created.

+1
source

I found a partial answer to my question in this blog post . I study it more to find out if this answers all my questions. I just found it. Apparently, I need to change my EntityID (which contains the URL), as I redistribute it to different environments, but SignatureValue contains the hash of this URL (among other things?), Therefore, by changing the URL, I will invalidate SignatureValue, and it must be regenerated. Apparently this FederationMetadata Generator can help me with this.

0
source

Source: https://habr.com/ru/post/898602/

More articles:


All Articles