How to create federation metadata XML for "Relying Party Trust" and "Claims Provider Trusts" for ADFS 2.0

113.3k views Asked by At

One of our web app would like to connect with ADFS 2.0 server to get credential token and check the user roles based on that. The ADFS server admin asked us to give them a federation metadata XML file to let them create Relying Party Trusts. I googled and only find how to download the ADFS server's federation metadata XML using URL - https://[adfs server name]/federationmetadata/2007-06/federationmetadata.xml But could didn't find any guide to create a federation metadata XML for creating "Relying Party Trust" and "Claims Provider Trusts". Is there a tools for creating those metadata files? Please share some idea for how to create.

Thanks

Lu

Answer my own question:

I found the Federation Utility tools in WindowsIdentityFoundation-SDK-4.0 at http://www.microsoft.com/en-ca/download/details.aspx?id=4451 will do it.

4

There are 4 answers

1
rbrayb On BEST ANSWER

Actually the URL is

https://server/federationmetadata/2007-06/federationmetadata.xml

There are no tools that I an aware of.

You can use the Microsoft.IdentityModel.Protocols.WSFederation.Metadata class or refer Generating Federation Metadata Dynamically.

Have a look at "Thinktecture.IdentityServer.v2 / src / Libraries / Thinktecture.IdentityServer.Protocols / FederationMetadata" over at Thinktecture.IdentityServer.v2.

Or if your application uses WIF it's in the metadata directory.

Update:

In WIF, unless you want to the token to be encrypted, you don't need the certificate. That's more for the ADFS side as it has to sign the token and the app. needs the public key to verify.

Example:

<?xml version="1.0" encoding="utf-8"?>
<EntityDescriptor ID="_5b6cd05c-a5e3-470d-a2fc-6c6f66633d1b" entityID="http://localhost/app/" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    <RoleDescriptor xsi:type="fed:ApplicationServiceType" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <fed:ClaimTypesRequested>
            <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />
            <auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" />
        </fed:ClaimTypesRequested>
        <fed:TargetScopes>
            <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
                <Address>http://localhost/app/</Address>
            </EndpointReference>
        </fed:TargetScopes>
        <fed:PassiveRequestorEndpoint>
            <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
                <Address>http://localhost/app/</Address>
            </EndpointReference>
        </fed:PassiveRequestorEndpoint>
    </RoleDescriptor>
</EntityDescriptor>

where localhost\app\ needs to be your app's URL. Note end slash!

1
Richard G On

I had to do this recently, having never used .Net or ADFS before, and having only the server (STS) metadata URL that I was trying to integrate with. I had a basic Windows 10 PC and was trying to set up a Node.js webapp as an RP. This is what I did:

  1. On the Win 10 PC, went to Control Panel -> Programs and Features -> Turn Windows features on or off -> Enable Windows Identity Foundation 3.5

  2. Installed Windows Identity Foundation SDK 4.0 (as referred to by the original author).

  3. Created a basic Web.config file which contained:

    <?xml version="1.0" encoding="utf-8" ?>
    <configuration>
      <system.web>
    
      </system.web>
    </configuration>
    
  4. In the SDK installation directory, I found FedUtil.exe and FedUtilSampleUserInput.xml. The sample file explained all the parameters that FedUtil.exe was going to ask for, which was very helpful.

  5. Launched FedUtil.exe as Administrator (right-click in File Explorer), providing the Web.config file I just created, the webapp URL, the server (STS) metadata URL as the "existing STS", and selecting to create a new default certificate.

  6. Lo and behold, a FederationMetadata.xml file was generated and my Web.config file was updated automatically.

  7. I then un-commented some of the claim types in the updated Web.config file and re-ran FedUtil.exe, which then updated my FederationMetadata.xml with the additional claim types that I needed from the STS (e.g., email, given name, surname)

  8. Provided the FederationMetadata.xml to the STS admin, which worked!

Only downside is that this all required a Windows machine ... I'm not sure what I would have done on Mac or Linux!

0
Dscoduc On

For creating SAML RP Metadata there is a web based tool available at samltool.com which can help out. I haven't found one for WS-Federation other than the Federation Utility...

I also recently discovered the site rcFederation which supports AD FS / WS-Federation

0
AfjLee On

Metadata xml for creating "Replaying party trust" is not ADFS federation metadta, but SP (Saml issuer)'s metadata xml.