IBM Security Verify

If a Service Provider cannot generate a metadata.xml file that I can use to create a Partner in ISVA that is configured to be the Identity Provider, what should I do?

• Insert a dummy metadata.xml and later change the attributes, endpoints, etc
• Generate a metadata.xml with the data provided?

Use a site like https://www.samltool.com/sp_metadata.php, to generate one? Does IBM have a site like this?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
------------------------------

Joao,

Yes, you would have to build a metadata file from the information provided by the Service Provider.

IBM doesn't provide a tool to do this but it's (relatively) simple to build your own in a text editor.  I suspect a script could do it too with only minimal effort.
If you've found an external tool that can do it then that seems fine too.

BTW, worth saying that ability to generate a metadata file is a requirement for being SAML 2.0 compliant... but I understand that many service providers don't adhere to this these days and prefer cut-and-paste of values between SP and IdP.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Wed May 05, 2021 02:00 PM
From: Joao Goncalves
Subject: How to configure a SAML 2.0 Partner without metadata.xml

If a Service Provider cannot generate a metadata.xml file that I can use to create a Partner in ISVA that is configured to be the Identity Provider, what should I do?

• Insert a dummy metadata.xml and later change the attributes, endpoints, etc
• Generate a metadata.xml with the data provided?

Use a site like https://www.samltool.com/sp_metadata.php, to generate one? Does IBM have a site like this?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
------------------------------

Hello,

Through the REST API, you can configure partners without using metadata.xml. Actually, metadata.xml are only used for import, you can't export them later on whatsoever.

------------------------------
Cedric Servais
------------------------------

Original Message:
Sent: Wed May 05, 2021 02:23 PM
From: Jon Harry
Subject: How to configure a SAML 2.0 Partner without metadata.xml

Joao,

Yes, you would have to build a metadata file from the information provided by the Service Provider.

IBM doesn't provide a tool to do this but it's (relatively) simple to build your own in a text editor.  I suspect a script could do it too with only minimal effort.
If you've found an external tool that can do it then that seems fine too.

BTW, worth saying that ability to generate a metadata file is a requirement for being SAML 2.0 compliant... but I understand that many service providers don't adhere to this these days and prefer cut-and-paste of values between SP and IdP.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Wed May 05, 2021 02:00 PM
From: Joao Goncalves
Subject: How to configure a SAML 2.0 Partner without metadata.xml

If a Service Provider cannot generate a metadata.xml file that I can use to create a Partner in ISVA that is configured to be the Identity Provider, what should I do?

• Insert a dummy metadata.xml and later change the attributes, endpoints, etc
• Generate a metadata.xml with the data provided?

Use a site like https://www.samltool.com/sp_metadata.php, to generate one? Does IBM have a site like this?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
------------------------------

Hi all,

I'm also facing the same scenario that i dont have a metadata.xml from Service Provider and i needed input manually all informations, but in my case, when the user calls the backend application, a json file is used in the backend to call the ISVA SSO login page. When this happens, the backend URL is concatenated with ISVA SSO login URL and becomes like this: https://reverseproxy/sps/junction/saml20/loginhttps://backend_application
Does this behavior happen to you?

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal
------------------------------

Original Message:
Sent: Wed May 05, 2021 02:00 PM
From: Joao Goncalves
Subject: How to configure a SAML 2.0 Partner without metadata.xml

If a Service Provider cannot generate a metadata.xml file that I can use to create a Partner in ISVA that is configured to be the Identity Provider, what should I do?

• Insert a dummy metadata.xml and later change the attributes, endpoints, etc
• Generate a metadata.xml with the data provided?

Use a site like https://www.samltool.com/sp_metadata.php, to generate one? Does IBM have a site like this?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
------------------------------

In fact, I told the Service Provider to generate the metadata.xml and I am still waiting for this info.
So, I didn't experience anything like that at the moment.

The login protocol can be initiated by either the service provider or the Identity Provider. I believe you are telling that in your scenario, the flow is starting from the Service Provider. After this, the protocol between the endpoints are standard. I don't understand what is happening in your case? Which backend URL are you refering to?

From what I see also, is that your endpoint is not correct. The SAML login endpoint is https://Host:Port/Junction/sps/Federation_name/saml20/login
Please check this!

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Original Message:
Sent: Thu May 13, 2021 04:45 PM
From: Alexandre Gammaro
Subject: How to configure a SAML 2.0 Partner without metadata.xml

Hi all,

I'm also facing the same scenario that i dont have a metadata.xml from Service Provider and i needed input manually all informations, but in my case, when the user calls the backend application, a json file is used in the backend to call the ISVA SSO login page. When this happens, the backend URL is concatenated with ISVA SSO login URL and becomes like this: https://reverseproxy/sps/junction/saml20/loginhttps://backend_application
Does this behavior happen to you?

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal

Original Message:
Sent: Wed May 05, 2021 02:00 PM
From: Joao Goncalves
Subject: How to configure a SAML 2.0 Partner without metadata.xml

If a Service Provider cannot generate a metadata.xml file that I can use to create a Partner in ISVA that is configured to be the Identity Provider, what should I do?

• Insert a dummy metadata.xml and later change the attributes, endpoints, etc
• Generate a metadata.xml with the data provided?

Use a site like https://www.samltool.com/sp_metadata.php, to generate one? Does IBM have a site like this?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
------------------------------

Hi Joao.

You can input information from partner manually in you IdP if you know about the endpoints that you need to do assertion SAML.

No, i cant logon initiating by IdP.


Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal
------------------------------

Original Message:
Sent: Thu May 13, 2021 05:04 PM
From: Joao Goncalves
Subject: How to configure a SAML 2.0 Partner without metadata.xml

In fact, I told the Service Provider to generate the metadata.xml and I am still waiting for this info.
So, I didn't experience anything like that at the moment.

The login protocol can be initiated by either the service provider or the Identity Provider. I believe you are telling that in your scenario, the flow is starting from the Service Provider. After this, the protocol between the endpoints are standard. I don't understand what is happening in your case? Which backend URL are you refering to?

From what I see also, is that your endpoint is not correct. The SAML login endpoint is https://Host:Port/Junction/sps/Federation_name/saml20/login
Please check this!

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994

Original Message:
Sent: Thu May 13, 2021 04:45 PM
From: Alexandre Gammaro
Subject: How to configure a SAML 2.0 Partner without metadata.xml

Hi all,

I'm also facing the same scenario that i dont have a metadata.xml from Service Provider and i needed input manually all informations, but in my case, when the user calls the backend application, a json file is used in the backend to call the ISVA SSO login page. When this happens, the backend URL is concatenated with ISVA SSO login URL and becomes like this: https://reverseproxy/sps/junction/saml20/loginhttps://backend_application
Does this behavior happen to you?

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal

Original Message:
Sent: Wed May 05, 2021 02:00 PM
From: Joao Goncalves
Subject: How to configure a SAML 2.0 Partner without metadata.xml

If a Service Provider cannot generate a metadata.xml file that I can use to create a Partner in ISVA that is configured to be the Identity Provider, what should I do?

• Insert a dummy metadata.xml and later change the attributes, endpoints, etc
• Generate a metadata.xml with the data provided?

Use a site like https://www.samltool.com/sp_metadata.php, to generate one? Does IBM have a site like this?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
------------------------------

You do not initiate the protocol with that URL, The correct URL would be "logininitial", not "login" at the end of the URL.

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------

Original Message:
Sent: Thu May 13, 2021 05:46 PM
From: Alexandre Gammaro
Subject: How to configure a SAML 2.0 Partner without metadata.xml

Hi Joao.

You can input information from partner manually in you IdP if you know about the endpoints that you need to do assertion SAML.

No, i cant logon initiating by IdP.


Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal

Original Message:
Sent: Thu May 13, 2021 05:04 PM
From: Joao Goncalves
Subject: How to configure a SAML 2.0 Partner without metadata.xml

In fact, I told the Service Provider to generate the metadata.xml and I am still waiting for this info.
So, I didn't experience anything like that at the moment.

The login protocol can be initiated by either the service provider or the Identity Provider. I believe you are telling that in your scenario, the flow is starting from the Service Provider. After this, the protocol between the endpoints are standard. I don't understand what is happening in your case? Which backend URL are you refering to?

From what I see also, is that your endpoint is not correct. The SAML login endpoint is https://Host:Port/Junction/sps/Federation_name/saml20/login
Please check this!

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994

Original Message:
Sent: Thu May 13, 2021 04:45 PM
From: Alexandre Gammaro
Subject: How to configure a SAML 2.0 Partner without metadata.xml

Hi all,

I'm also facing the same scenario that i dont have a metadata.xml from Service Provider and i needed input manually all informations, but in my case, when the user calls the backend application, a json file is used in the backend to call the ISVA SSO login page. When this happens, the backend URL is concatenated with ISVA SSO login URL and becomes like this: https://reverseproxy/sps/junction/saml20/loginhttps://backend_application
Does this behavior happen to you?

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal

Original Message:
Sent: Wed May 05, 2021 02:00 PM
From: Joao Goncalves
Subject: How to configure a SAML 2.0 Partner without metadata.xml

If a Service Provider cannot generate a metadata.xml file that I can use to create a Partner in ISVA that is configured to be the Identity Provider, what should I do?

• Insert a dummy metadata.xml and later change the attributes, endpoints, etc
• Generate a metadata.xml with the data provided?

Use a site like https://www.samltool.com/sp_metadata.php, to generate one? Does IBM have a site like this?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
------------------------------

Hi Joao,

Other error:

I didnt know that i could initiate the login by IdP side, only SP side.

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal
------------------------------

Original Message:
Sent: Fri May 14, 2021 09:12 AM
From: Joao Goncalves
Subject: How to configure a SAML 2.0 Partner without metadata.xml

You do not initiate the protocol with that URL, The correct URL would be "logininitial", not "login" at the end of the URL.

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994

Original Message:
Sent: Thu May 13, 2021 05:46 PM
From: Alexandre Gammaro
Subject: How to configure a SAML 2.0 Partner without metadata.xml

Hi Joao.

You can input information from partner manually in you IdP if you know about the endpoints that you need to do assertion SAML.

No, i cant logon initiating by IdP.


Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal

Original Message:
Sent: Thu May 13, 2021 05:04 PM
From: Joao Goncalves
Subject: How to configure a SAML 2.0 Partner without metadata.xml

In fact, I told the Service Provider to generate the metadata.xml and I am still waiting for this info.
So, I didn't experience anything like that at the moment.

The login protocol can be initiated by either the service provider or the Identity Provider. I believe you are telling that in your scenario, the flow is starting from the Service Provider. After this, the protocol between the endpoints are standard. I don't understand what is happening in your case? Which backend URL are you refering to?

From what I see also, is that your endpoint is not correct. The SAML login endpoint is https://Host:Port/Junction/sps/Federation_name/saml20/login
Please check this!

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994

Original Message:
Sent: Thu May 13, 2021 04:45 PM
From: Alexandre Gammaro
Subject: How to configure a SAML 2.0 Partner without metadata.xml

Hi all,

I'm also facing the same scenario that i dont have a metadata.xml from Service Provider and i needed input manually all informations, but in my case, when the user calls the backend application, a json file is used in the backend to call the ISVA SSO login page. When this happens, the backend URL is concatenated with ISVA SSO login URL and becomes like this: https://reverseproxy/sps/junction/saml20/loginhttps://backend_application
Does this behavior happen to you?

Regards,

------------------------------
Alexandre Gammaro
CyberSecurity Especialist
Triscal

Original Message:
Sent: Wed May 05, 2021 02:00 PM
From: Joao Goncalves
Subject: How to configure a SAML 2.0 Partner without metadata.xml

If a Service Provider cannot generate a metadata.xml file that I can use to create a Partner in ISVA that is configured to be the Identity Provider, what should I do?

• Insert a dummy metadata.xml and later change the attributes, endpoints, etc
• Generate a metadata.xml with the data provided?

Use a site like https://www.samltool.com/sp_metadata.php, to generate one? Does IBM have a site like this?

------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
------------------------------