Necessary information for SAML 2.0 configuration (metadata)
In order to simplify the configuration of the eIAM-Web service and the application, configuration data must be exchanged. For this purpose, there are standardised XML structures, so-called metadata, which must be exchanged between eIAM-Web and the application. These are mandatory, as a manual exchange of information is prone to errors and therefore takes a lot of time.| Aquire SAML signing certificate For this you must generate a dedicated private key for each environment. Create a CSR and sign it like described below. The certificate then is needed to be embedded into the SAML metadata.xml | The operator must send the Certificate Signing Request (CSR) of the server on which the application is running to the LRAO Class C of the office (ask your integration manager). The LRAO can use the Certificate Request Wizard (CRW) of the PKI BIT to create the Class C System Sign (RegularCA02) certificate. Instructions for certificate ordering link (link customer platform ). Important: The LRAO must have the authorisation to order a C System Sign. If not, this would have to be activated by him with the confirmation of the CISO of the office by means of the application form. The Integration Manager of the office must be informed of this. With the certificate, the developer can create the metadata of the application and send it to the eIAM FOITT. What should also be done on the application side is: - Certificate for SSL encryption. This can also be done via Wizard PKI FOITT, but it does not have to be. - URL DNS entry for application via Remedy MAC - Firewalls etc. outside FOITT operation Technical support => Responsibility eIAM staff Certificate support => pki-info@bit.admin.ch |
SAML metadata.xml from eIAM
The information needed to configure the SAML 2.0 capable application to use the eIAM-Web as IdP is provided to the project by the eIAM service in the form of a metadata file in XML format (IDPSSODescriptor). In most cases, the application can be configured directly by importing this metadata file. If this is not possible, the project can manually extract the information required for manual configuration from the metadata file provided.The table below shows the attributes supplied in the eIAM-Web metadata file. Other attributes can be supplied with the metadata file but do not have to be used in the SAML configuration of the application. The SAML 2.0 metadata MUST NOT be signed.
| EntityDescriptor - entityID | Unique identifier of the entity. The value of this attribute MUST be a URN in the namespace "urn:eiam.admin.ch:pep:". |
| IDPSSODescriptor - KeyDescriptor - Key-Info - X509Data - X509Certificate | This attribute MUST contain the certificate (public key) of the key pair with whose private key the PEP signs the SAML 2.0 assertion. The application identifies the certificate in its trust store that is to be used to verify the signature of the assertion. |
| IDPSSODescriptor - SingleSignOnService - Location | This attribute MUST contain the value of the URL of the SSO service of the eIAM-Web PEP as seen by the user's browser. The application addresses the SAML 2.0 AuthnRequest to be sent to the eIAM-Web PEP to this destination. |
| SPSSODescriptor - SingleLogoutService - Location (STS-PEP Pattern) | This attribute MUST contain the value of the URL of the Single Logout (SLO) Location of the eIAM-Web PEP as seen by the user's browser. This is the URL of how the browser must address the SAML SLO endpoint of the eIAM-Web PEP. This MUST be a constant value, which is fixed per eIAM-Web PEP. |
Information contained in the application configuration metadata file
Example of an XML metadata file for the configuration of the eIAM-Web PEP (IdP) in the application (SP):
SAML configuration (metadata.xml) needed from the application
eIAM must also have information of the SAML interface of the application. Therefore, the project must export the SAML configuration from the application in the form of a metadata file in XML format and make it available to the service (SPSSO descriptor).The current SAML-capable applications support the export of such a metadata file after the SAML 2.0 service provider has been configured.
The following table contains the attributes that must be supplied in the metadata file. Other attributes can be supplied with the metadata file but are not used in the eIAM Web configuration.
| EntityDescriptor - entityID | Unique identifier of the entity. The value of this attribute MUST be a URI (a URN or a URL). Example: urn:eiam.admin.ch:sp:appl1 https://sp.example.com/saml2/auth/ |
| SPSSODescriptor - KeyDescriptor - KeyInfo - X509Data - X509Certificate | This attribute MUST contain the certificate (public key) of the key pair with whose private key the application signs the SAML 2.0 Auth-nRequests. The IdP uses this certificate to identify the certificate in the truststore with which the PEP must check the SAML Auth-nRequest of the application. |
| SPSSODescriptor - AssertionConsumerService - Location (RP-PEP pattern) | This attribute MUST contain the value of the URL of the ergänzung .. Assertion Consumer Service (ACS/SAML SSO endpoint)...ok?of the application as seen by the user's browser. This is the URL of how the browser can reach the ACS of the application via the eIAM-Web PEP. This MUST be a constant value, which is fixed per application. |
| SPSSODescriptor - AssertionConsumerService - Location (STS-PEP Pattern) | This attribute MUST contain the value of the URL of the Assertion Consumer Service of the application as seen by the user's browser. This is the URL of how the browser can reach the ACS of the application. If this value is supplied, this MUST be a constant value that is fixed for the SAML service provider. If this value is not supplied, the SP MUST send the value "AssertionConsumerServiceURL" with every SAML AuthnRequest. |
| SPSSODescriptor – SingleLogoutService – Location (STS-PEP Pattern) | This attribute MUST contain the value of the URL of the Single Logout (SLO) Location of the application as seen by the user's browser. This is the URL of how the browser must address the SAML SLO endpoint of the application. This MUST be a constant value, which is fixed per application. |
| SPSSODescriptor - SingleLogoutService - ResponseLocation (STS-PEP Pattern) | This attribute MUST contain the value of the URL of the Single Logout (SLO) Response Location of the SP as seen by the user's browser. This is the URL of how the browser must address the SAML SLO response endpoint of the application as a service provider. This MUST be a constant value, which is fixed per service provider. |
Mandatory information contained in the application metadata file
Example of an XML metadata file for configuring the application (SP) in the eIAM: