Menu
One of our web app would like to connect with ADFS 2.0 server to get credential token and check the user roles based on that. The ADFS server admin asked us to give them a federation metadata XML file to let them create Relying Party Trusts. I googled and only find how to download the ADFS server's federation metadata XML using URL - https://[adfs server name]/federationmetadata/2007-06/federationmetadata.xml But could didn't find any guide to create a federation metadata XML for creating "Relying Party Trust" and "Claims Provider Trusts". Is there a tools for creating those metadata files? Please share some idea for how to create.
Thanks
Lu
Answer my own question:
I found the Federation Utility tools in WindowsIdentityFoundation-SDK-4.0 at http://www.microsoft.com/en-ca/download/details.aspx?id=4451 will do it.
626
Obtain Federation Metadata XMLInside the AD FS Management application, locate the Federation Metadata xml file. This can be found by clicking on AD FS > Service > Endpoints then locate the URL path in the "Metadata" section. The path is typically /FederationMetadata/2007-06/FederationMetadata.
The Federation Metadata Explorer is an online tool that will retrieve the federation metadata document from your AD FS service and display the contents in a readable format. In addition to viewing the contents, this is a great way to check that your federation service is reachable from the extranet.
Actually the URL is
https://server/federationmetadata/2007-06/federationmetadata.xml There are no tools that I an aware of.
You can use the Microsoft.IdentityModel.Protocols.WSFederation.Metadata class or refer Generating Federation Metadata Dynamically.
Have a look at "Thinktecture.IdentityServer.v2 / src / Libraries / Thinktecture.IdentityServer.Protocols / FederationMetadata" over at Thinktecture.IdentityServer.v2.
Or if your application uses WIF it's in the metadata directory.
Update:
In WIF, unless you want to the token to be encrypted, you don't need the certificate. That's more for the ADFS side as it has to sign the token and the app. needs the public key to verify.
Example:
<?xml version="1.0" encoding="utf-8"?> <EntityDescriptor ID="_5b6cd05c-a5e3-470d-a2fc-6c6f66633d1b" entityID="http://localhost/app/" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <RoleDescriptor xsi:type="fed:ApplicationServiceType" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <fed:ClaimTypesRequested> <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" /> <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" /> </fed:ClaimTypesRequested> <fed:TargetScopes> <EndpointReference xmlns="http://www.w3.org/2005/08/addressing"> <Address>http://localhost/app/</Address> </EndpointReference> </fed:TargetScopes> <fed:PassiveRequestorEndpoint> <EndpointReference xmlns="http://www.w3.org/2005/08/addressing"> <Address>http://localhost/app/</Address> </EndpointReference> </fed:PassiveRequestorEndpoint> </RoleDescriptor> </EntityDescriptor> where localhost\app\ needs to be your app's URL. Note end slash!
105
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
