Once the fedlet is setup, you will find all configuration files under feldet configuration directory. In any environment, by default the fedlet instance is created under User’s home directory.
Files present in configuration directory:
sp.xml: This is the Service Provider metadata that get’s created by default when you install and configure fedlet. For implementing signing and encryption, one would need to do embed Signing and Encryption blocks. You can refer the SAML standards or any other Federation product metadata for getting the Signing and Encryption blocks.
If the Identity provider is expecting SAML Authentication requests to be signed then change the value of AuthnRequestsSigned element to true in sp.xml. Save the file and restart the application server.
If the Fedlet is expecting Identity provider to send signed SAML assertion then change the value of WantAssertionsSigned element to true in sp.xml. Save the file and restart the application server.
Observe the element entityID having the Fedlet ID which is provided while running the ConfigureFedlet command.
For providing the supported NameIDs by Fedlet, one can update this sp.xml to add element under SPSSODescriptor tag. For example, see below:
AssertionConsumerService is the element to define the fedlet file processing the SAML response. When you install fedlet, fedletSampleApp.jsp processes the SAML response. This file can be renamed to anything and placed in your custom application or one can extract the logic from this jsp and place it in your custom application. In such case, that custom application page should be specified for Location. For example, see below:
<AssertionConsumerService isDefault=”true” index=”0″ Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=”https://www.myserver.com/fedletSSO.jsp”/>
This file gets generated automatically when you install Fedlet. This file contains the supplements of SP metadata configurations. Observe that entityID field contains the same value as it is defined in sp.xml. There will be one-to-one mapping between sp.xml and sp-extended.xml using entityID. Some of the features that can be configured in this file are:
- Specify whether Assertion needs to be encrypted by IDP
- Specify whether attributes in assertion needs to be encrypted by IDP
- Specify whether SAML response needs to be signed
- Specify whether Logout request and response needs to be signed
- Specify Fedlet Logout URL.
- Specify encryption alias
- Default authentication and mapper classes.
It will be continued in next post.