Explaining configuration files in Fedlet

This is in continuation of series of posts on exploring Fedlet. Check my previous posts for setup, use cases. I will explain various configuration files in a fedlet instance and its significance.

Once the fedlet is setup, you will find all configuration files under feldet configuration directory. In any environment, by default the fedlet instance is created under User’s home directory.

Files present in configuration directory:

sp.xml: This is the Service Provider metadata that get’s created by default when you install and configure fedlet. For implementing signing and encryption, one would need to do embed Signing and Encryption blocks. You can refer the SAML standards or any other Federation product metadata for getting the Signing and Encryption blocks.

If the Identity provider is expecting SAML Authentication requests to be signed then change the value of AuthnRequestsSigned element to true in sp.xml. Save the file and restart the application server.

If the Fedlet is expecting Identity provider to send signed SAML assertion then change the value of WantAssertionsSigned element to true in sp.xml. Save the file and restart the application server.

Observe the element entityID having the Fedlet ID which is provided while running the ConfigureFedlet command.

For providing the supported NameIDs by Fedlet, one can update this sp.xml to add element under SPSSODescriptor tag. For example, see below:

<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>

AssertionConsumerService is the element to define the fedlet file processing the SAML response. When you install fedlet, fedletSampleApp.jsp processes the SAML response. This file can be renamed to anything and placed in your custom application or one can extract the logic from this jsp and place it in your custom application. In such case, that custom application page should be specified for Location. For example, see below:

<AssertionConsumerService isDefault=”true” index=”0″ Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=”https://www.myserver.com/fedletSSO.jsp”/>

sp-extended.xml:

This file gets generated automatically when you install Fedlet. This file contains the supplements of SP metadata configurations. Observe that entityID field contains the same value as it is defined in sp.xml. There will be one-to-one mapping between sp.xml and sp-extended.xml using entityID. Some of the features that can be configured in this file are:

  1. Specify whether Assertion needs to be encrypted by IDP
  2. Specify whether attributes in assertion needs to be encrypted by IDP
  3. Specify whether SAML response needs to be signed
  4. Specify whether Logout request and response needs to be signed
  5. Specify Fedlet Logout URL.
  6. Specify encryption alias
  7. Default authentication and mapper classes.

It will be continued in next post.

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

1 comments
Add Your Reply