Creating a SAML Metadata File - Digital-Platform-Services/My-NS-Account GitHub Wiki

Home

About Single Sign-on and Metadata

In order for Single Sign-on to work it requires the agreement of two parties to allow their servers to pass information between one another. This agreement takes the form of a metadata file exchange whereby the identity provider (IdP) defines how a party that wishes to access user identity information may communicate it. In exchange the party that wishes to consume the user identity (your application, also known as a relying party (RP)) also provides communication details explaining how the IdP may return the requested information to it.

Creating a SAML connection is dependent on two different sides exchanging information to verify a User who is going to login. In order to accomplish this task, metadata will need to be exchanged on both sides to describe both the RP and the IdP and their endpoints.

My NS Account Integration - IdP Metadata

As part of the My NS Account integration process, we provide you with the IdP metadata, which defines how our service is configured and how best to communicate with it. It will be used to configure your application to securely exchange data with our IdP.

My NS Account Integration - RP Metadata

To complete the integration with My NS Account, you provide us with XML data about your application that will define your application and how best to communicate with it for the SAML connection. There are many applications/frameworks/modules that have the ability to automatically create a metadata file for SAML integration. In cases where you have to build your own metadata file from scratch, our metadata template is a freely available resource to assist you.

Creating a custom metadata file

Checklist

  • Ensure the metadata file has a unique ID (starting with an underscore "_" character)
  • Ensure the metadata expiry date (validUntil="YYYY-MM-DDT00:00:00.000Z") matches the expiry date of your signing and encryption certificates

Minimum metadata requirements

No matter how you go about generating your metadata file, there are a few minimum requirements:

  1. A unique EntityID

  2. The Signature shall use:

    • xml-enc-c14n canonicalization
    • rsa-sha256 signature method
    • the following transforms: enveloped signature AND xml-enc-c14n
    • sha256 digest method

  3. In the SPSSODescriptor:

    • AuthnRequestsSigned must be true

    • WantAssertionsSigned must be true

    • NameIDFormat must be persistent

    • NameIDPolicy must be AllowCreate="true"

    • KeyDescriptors

      • Signing and Encryption use must be supplied
      • If you have a dual-purpose certificate you can use one “undefined” KeyDescriptor or use the certificate in both Signing and Encryption sections.

    • The following protocols and bindings shall be included:

Protocol Binding
SingleLogoutService HTTP-Redirect and SOAP
ManageNameIDService SOAP
AssertionConsumerService HTTP-POST
Extensions > ChangeNotifyService SOAP