ComponentSpace

Forums



ExportMetadata.exe


ExportMetadata.exe

Author
Message
fabio.rapelli@willistowers...
fabio.rapelli@willistowerswatson.com
New Member
New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)

Group: Forum Members
Posts: 7, Visits: 45
Good Morning,
A user will be authenticated on the Identity Provider managed by external customer. They will call our service provider and asked me some information:
- signing certificate public key
- metadata file or url
I would like to generate the metadata.xml file for my service provider using ExportMetadata.exe (version 2.8.8.0):
SAML configuration file to export [saml.config]: saml.config
X.509 signature certificate file [None]: certificate.crt
X.509 encryption certificate file [None]: What is this? Could be any files or should be a certificate file?
Assertion Consumer Service URL [None]: https://ourservername/SamlServiceProvider-Iat/SSO/AssertionConsumerService
Single Logout Service URL [None]:
Partner Identity Provider Name [None]: https://customerservername/IdentityProvider (this cause an error: identity provider name not found)
SAML metadata file [metadata.xml]: sp-iat-metadata.xml

This is my saml.config:

<?xml version="1.0"?>

<SAMLConfiguration xmlns="urn:componentspace:SAML:2.0:configuration">

<ServiceProvider Name=https://ourservername/SamlServiceProvider-Iat/

       Description="Saml Service Provider (Iat)"

       AssertionConsumerServiceUrl="~/SSO/AssertionConsumerService"

       LocalCertificateFile="Certificates\certificate.crt"/>

<PartnerIdentityProviders>

  <PartnerIdentityProvider Name="https://customerservername/IdentityProvider"

          Description="Customer Identity Provider (Stage)"

          SignAuthnRequest="true"

          PartnerCertificateFile="Certificates\Customer1\certificate.crt"/>

</PartnerIdentityProviders>

</SAMLConfiguration>


I receive an error on
Partner Identity Provider Name [None]:

Regards,
Fabio

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
I couldn't reproduce the problem using your saml.config file.
Please ensure the partner identity provider name doesn't include any leading space characters etc.
If there's still an issue, please email [email protected] mentioning your forum post.
Include your saml.config file as an email attachment but remove any passwords.
Also include your certificate file but rename the .cer to .txt to get past our mail server.
I see that the LocalCertificateFile is a .crt. Normally the file extension is .pfx.
The LocalCertificateFile must include the private key so signatures may be generated.
There should be a LocalCertificatePassword to protect the pfx file.

Regards
ComponentSpace Development
fabio.rapelli@willistowers...
fabio.rapelli@willistowerswatson.com
New Member
New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)

Group: Forum Members
Posts: 7, Visits: 45
ComponentSpace - 8/28/2018
I couldn't reproduce the problem using your saml.config file.
Please ensure the partner identity provider name doesn't include any leading space characters etc.
If there's still an issue, please email [email protected] mentioning your forum post.
Include your saml.config file as an email attachment but remove any passwords.
Also include your certificate file but rename the .cer to .txt to get past our mail server.
I see that the LocalCertificateFile is a .crt. Normally the file extension is .pfx.
The LocalCertificateFile must include the private key so signatures may be generated.
There should be a LocalCertificatePassword to protect the pfx file.

Now i resolved the Identity provider issue.
I exported the certificate.crt as .pfx including the private key.
So "LocalCertificateFile" will be certificate.pfx, correct?
Should be the LocalCertificatePassword the passfhrase used to protect the private key inside certificate.pfx?
To generate metadata.xml should i set this value?
X.509 signature certificate file [None]: certificate.pfx
X.509 encryption certificate file [None]: What should i insert here? A different certificate?

Regards,
Fabio

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
That's correct.
The LocalCertificateFile should always be a PFX file as it must include the private key.
The LocalCertificatePassword protects the private key in the PFX file.
The X.509 certificate file that's prompted for by ExportMetadata is the CER file that corresponds to the PFX file.
The CER file has the certificate and public key only.
For most uses cases you shouldn't specify an encryption certificate.
It's only required if the SAML assertion is to be encrypted and you wish to use a different certificate for the encryption.

Regards
ComponentSpace Development
fabio.rapelli@willistowers...
fabio.rapelli@willistowerswatson.com
New Member
New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)

Group: Forum Members
Posts: 7, Visits: 45
ComponentSpace - 8/30/2018
That's correct.
The LocalCertificateFile should always be a PFX file as it must include the private key.
The LocalCertificatePassword protects the private key in the PFX file.
The X.509 certificate file that's prompted for by ExportMetadata is the CER file that corresponds to the PFX file.
The CER file has the certificate and public key only.
For most uses cases you shouldn't specify an encryption certificate.
It's only required if the SAML assertion is to be encrypted and you wish to use a different certificate for the encryption.

Now i have another problem:
I copied the certificate.pfx inside C:\SAML v2.0 for .NET\Examples\Metadata\ExportMetadata\bin\Debug and running ExportMetadata.exe in debug mode.
After prompted X.509 signature certificate file: certificate.pfx
I receive an error about "incorrect network password". Inside saml.config (copied in the same folder) the "LocalCertificatePassword" is correct.
I am working on my laptop, do i need to install certificate.pfx?

Regards,
Fabio

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
It's prompting for a certificate file with a .CER extension rather than a .PFX extension.
I'll see that ExportMetadata is updated to make this clearer.
You need the corresponding .CER file to your .PFX file.
Your .PFX file contains your certificate and private key.
The .CER file contains your certificate and public key.
You can use the following PowerShell cmdlets to create a .CER from your .PFX.

Get-PfxCertificate -FilePath certificate.pfx | Export-Certificate -FilePath certificate.cer




Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 1 query. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search