Creating a SAML Metadata File - Digital-Platform-Services/My-NS-Account GitHub Wiki
````Home
About Single Sign-on and Metadata
In order for Single Sign-on to work it requires the agreement of two parties to allow their servers to pass information between one another. This agreement takes the form of a metadata file exchange whereby the identity provider (IdP) defines how a party that wishes to access user identity information may communicate it. In exchange the party that wishes to consume the user identity (your application, also known as a relying party (RP)) also provides communication details explaining how the IdP may return the requested information to it.
Creating a SAML connection is dependent on two different sides exchanging information to verify a User who is going to login. In order to accomplish this task, metadata will need to be exchanged on both sides to describe both the RP and the IdP and their endpoints.
My NS Account Integration - IdP Metadata
As part of the My NS Account integration process, we provide you with the IdP metadata, which defines how our service is configured and how best to communicate with it. It will be used to configure your application to securely exchange data with our IdP.
My NS Account Integration - RP Metadata
To complete the integration with My NS Account, you provide us with XML data about your application that will define your application and how best to communicate with it for the SAML connection. There are many applications/frameworks/modules that have the ability to automatically create a metadata file for SAML integration. In cases where you have to build your own metadata file from scratch, our metadata template is a freely available resource to assist you.
Creating a custom metadata file
Checklist
- Ensure the metadata file has a unique ID (starting with an underscore "_" character)
- Ensure the metadata expiry date (validUntil="YYYY-MM-DDT00:00:00.000Z") matches the expiry date of your signing and encryption certificates
Minimum metadata requirements
No matter how you go about generating your metadata file, there are a few minimum requirements:
-
A unique EntityID
-
The Signature shall use:
- xml-enc-c14n canonicalization
- rsa-sha256 signature method
- the following transforms:
enveloped signature
ANDxml-enc-c14n
- sha256 digest method
-
In the SPSSODescriptor:
-
AuthnRequestsSigned must be true
-
WantAssertionsSigned must be true
-
NameIDFormat must be persistent
-
NameIDPolicy must be AllowCreate="true"
-
KeyDescriptors
- Signing and Encryption use must be supplied
- If you have a dual-purpose certificate you can use one “undefined” KeyDescriptor or use the certificate in both Signing and Encryption sections.
-
The following protocols and bindings shall be included:
-
Protocol | Binding |
---|---|
SingleLogoutService | HTTP-Redirect and SOAP |
ManageNameIDService | SOAP |
AssertionConsumerService | HTTP-POST |
Extensions > ChangeNotifyService | SOAP |
4.Single Logout Request
- HTTP Redirect and HTTP SOAP Binding only.
- Sign and Encrypt NameID assertion
- The saml:NameID element SHOULD be encrypted via the saml:EncryptedID element
Cyber Authentication Technology Solutions (CATS 2.0)
docs/CATS_V2_0_Deployment_Profile_Final_r8_2_en.pdf ``
Latest Doc
https://canada-ca.github.io/CATS-STAE/archive/CATS_IAS_V2_0_Deployment_Profile_Final_r8_4_en.pdf