SAML Get started - kmd-identity/documentation GitHub Wiki

How to integrate your application with KMD Identity based on SAML

Have a look at our sample and test applications for inspiration.

KMD Identity federation metadata

The federation metadata url for KMD Identity is: https://identity.kmd.dk/federationmetadata/2007-06/federationmetadata.xml

Ensure you are monitoring and updating your SAML configuration based on the KMD Identity federation metadata url at least once a day. Failure to do so will result in authentication errors when KMD Identity certificates are updated.

Requirements

• Have a valid OCES3 production certificate.
• Have an endpoint where the federation metadata for the application is available. Federation metadata is used by KMD Identity to configure the application correctly, validate signature and encrypt.
  • The metadata endpoint must be available from internet, without expiration and the URL must not change. KMD Identity will update it's configuration once a day based on this metadata endpoint. KMD Identity will not be able to retrieve updated configuration if the URL is changed.
  • The metadata must specify a certificate for both signing and encryption. This can be the same certificate.
  • The endpoints specified in the metadata (such as your application's AssertionConsumerService and SingleLogoutService) must use HTTPS (ie. begin with "https://").
  • .NET applications can use ITFoxtec SAML nuget packages to generate federation metadata.
  • The metadata endpoint is usually available directly in the application integrating with KMD Identity. See MetadataController in the sample and test applications repository.
  • A metadata endpoint is also needed for local development. Generate the federation metadata XML file locally and make it publicly available. Be sure not to edit or format the file in any way. When viewing it in browser, it can be saved using ctrl+s. An Azure Storage Account can be used to host the application metadata file.
  • Ensure the proper contact persons are set in the metadata file.
  • An example of metadata endpoint from the KMD Identity SAML Test Application: https://test-saml-web.identity.kmd.dk/Metadata
• Specify a unique SAML EntityID/Relying Party identifier. The recommended standard for EntityID is https://saml.schemas.[PRODUCTNAME].[ORGANIZATION].dk/realm/[ORGANIZATION].[PRODUCTNAME].[ENVIRONMENT]
  • Examples:
    • https://saml.schemas.testproduct.kmd.dk/realm/kmd.testproduct.local
    • https://saml.schemas.testproduct.kmd.dk/realm/kmd.testproduct.dev
    • https://saml.schemas.testproduct.kmd.dk/realm/kmd.testproduct.prod

Contact KMD Identity

Once the requirements from above are met, contact KMD Identity team to get the application configured in KMD Identity. Remember to fill in the metadata endpoint in the service request when contacting KMD Identity team.