Ceptor - Get a Free Trial

Microsoft ADFS Integration / WebSSO SAML

Owned by Kim Rasmussen
Last updated: Aug 11, 2021 by Kim Rasmussen (Unlicensed)
16 min read

Here, you can see how to configure Ceptor to interact with Microsoft Active Directory Federation Services (ADFS) or other WebSSO capable products, supporting Identity Federation using either WS-Federation or SAML protocols.

This method of defining SAML Identity Providers and Service Providers is deprecated (although still supported and functional) - instead, refer to Federation - SAML / WebSSO for an easier method.


Using Ceptor as an Identity Provider

If you wish to federate the identity of an authenticated user to a third party, e.g. one that uses ADFS or supports WebSSO protocol, you can use Ceptor's builtin WebSSO support to get Ceptor to function as an Identity Provider (or in Microsoft terminology, Claims Provider).

Ceptor will then create and sign a SAML Token containing information about the user's Identity, and this information can be used by a third party.

The minimum version of ADFS required, is 2.0 which supports SAML2.0 tokens.

In ADFS, setup Ceptor as a Trusted Claims Provider, you need to refer to Microsofts configuration guides for details. You need to configure and URL and an identifier – e.g. “https://www.ceptor.io/adfs” it is safe to configure the same value for both.

Then you need to add an authentication plugin to Ceptor Session Controller which supports creation of SAML tokens, use dk.itp.portalprotect.saml.ADFSSamlSSOAuthPlugin

In this scenario, a login application needs to handle the dialogue with the user – the .NET and java sample applications provided with Ceptor both contains samples that show how to do this.

Example in portalprotect-configuration.xml:

<property name="server.authenticationplugins" value="...<existing providers>; dk.itp.portalprotect.saml.ADFSSamlSSOAuthPlugin" description="The list of authentication plugins (classes) to load"/>

ADFSSamlSSOAuthPlugin Configuration

You will need to configure each service provider so Ceptor recognizes them and allows issuing tokens to them. Ceptor will by default only send SAML tokens to previously known URLs. Note that this behaviour is something you can change in your own authentication application if you need to, although it is not recommended.

The authentication plugin supports a number of configuration entries for service providers;

Name

Value

websso.serviceProviders

Lists the service providers available, separated by semicolon.


The following all start with websso.sp.<sp>.


<sp> is replaced with the name of the service provider, as configured in websso.identityProviders

url

URL to ADFS, usually https://<hostname>/adfs/ls/ – this is the URL that the SAML token will be sent to, and the URL that will be present as recipient within the SAML ticket

returnurlOverride the url if you need to send the SAML response to a different URL than the recipient URL within the SAML response (defaults to url).

displayName

Display name for this Service Provider – can be used by login application to let user select which identity provider to use, if that is required.

issuer

Name of SAML Ticket Issuer – visible to the receiving application, default is Ceptor

rolePattern

Only groups/roles matching this pattern will be added into the SAML token – use ? and * as wildcard | to separate multiple matches, and ^ to negate the match e.g. “^Admin|*Administrator*” allows all groups except Admin and any group with the name Administrator as part of it.

attributes

List of SAML attributes to add to the SAML ticket.

List of name=key pairs separated by semicolon.

The key will be taken from the session state variables, so you can place anything in the session that can then be included in the SAML ticket.

This configuration parameter follows the same syntax as the configuration entry “customHttpHeaders” for the dispatcher, and you can use

Please see the entry in the reference about “customHttpHeaders” for details.

Default is:
upn=userid;name=username;role=groups;email=email1

keystore.provider

Name of keystore JCE provider, default is “BC”

keystore.type

Keystore type, default is “PKCS12”

keystore.file

Keystore filename – the keystore must contain both the private key to use when signing the SAML token, and the certificate to include in the token.

keystore.password

Keystore password – can be optionally encrypted.

keystore.privkeyalias

Alias name of the private key, or blank to use the first private key found in the keystore.

keystore.certalias

Alias name of the certificate, or blank to use the first available certificate found in the keystore.

idp_metadata_XML_

Template for IDP federation metadata used to identify our capabilities for this service provider.

saml.response.scriptScript executed that has the option to modify the SAML response before it is signed

You will need to specify a keystore containing a private key and public certificate to sign the SAML token with.

Example configuration in portalprotect-configuration.xml:

<property name="websso.serviceProviders" value="adfs2" description="Semicolon separated list of identity providers"/>
<property name="websso.sp.adfs2.attributes" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn=userid;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name=username;http://schemas.microsoft.com/ws/2008/06/identity/claims/role=groups;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress=email1" description="Specify which attributes to add to the SAML token"/>
<property name="websso.sp.adfs2.displayName" value="Ceptor Test ADFS2" description="Display name of Service Provider"/>
<property name="websso.sp.adfs2.identifiers" value="https://www.pptest.dk:4443/adfs;http://adfs2.itptest.dk/adfs/services/trust" description="Semicolon separated list of identifiers"/>
<property name="websso.sp.adfs2.issuer" value="https://www.pptest.dk:4443/adfs" description="Issuer name to tell service provider"/>
<property name="websso.sp.adfs2.keystore.certalias" value="" description="Alias of certificate within keystore"/>
<property name="websso.sp.adfs2.keystore.file" value="${portalprotect.home}/config/x509/issuer/certissuer.pfx" description="Name of keystore containing private key and certificate to use when signing SAML"/>
<property name="websso.sp.adfs2.keystore.password" value="password" description="Password for keystore"/>
<property name="websso.sp.adfs2.keystore.privkeyalias" value="" description="Alias of private key within keystore"/>
<property name="websso.sp.adfs2.keystore.provider" value="BC" description="Name of JCE provider"/>
<property name="websso.sp.adfs2.keystore.type" value="PKCS12" description="Keystore type"/>
<property name="websso.sp.adfs2.rolePattern" value="*" description="Only roles matching this pattern will be sent to the service provider"/>
<property name="websso.sp.adfs2.url" value="https://adfs2.itptest.dk/adfs/ls/" description="URL of ADFS service provider"/>
<property name="websso.sp.adfs2.idp_metadata_XML_" description="Metadata template for identity provider metadata">
<![CDATA[<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="%{validuntil}" cacheDuration="PT1440M" entityID="https://www.pptest.dk:4443/adfs">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>%{signcert}</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>%{encryptcert}</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.my.server/logoff"/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.my.server"/>
  </md:IDPSSODescriptor>
  <md:Organization>
    <md:OrganizationName xml:lang="en-US">orgname</md:OrganizationName>
    <md:OrganizationDisplayName xml:lang="en-US">orgdispname</md:OrganizationDisplayName>
    <md:OrganizationURL xml:lang="en-US">http://my.org</md:OrganizationURL>
  </md:Organization>
  <md:ContactPerson contactType="technical">
    <md:GivenName>techname</md:GivenName>
    <md:EmailAddress>tech@mail.dk</md:EmailAddress>
  </md:ContactPerson>
  <md:ContactPerson contactType="support">
    <md:GivenName>support name</md:GivenName>
    <md:EmailAddress>support@mail.dk</md:EmailAddress>
  </md:ContactPerson>
</md:EntityDescriptor>
]]></property>

The configuration example above assumes that you have configured ADFS with support for SAML 2.0 WebSSO protocol with the URL: “https://www.pptest.dk:4443/adfs” and the same trust identifier. It also assumes that you have added the certificate with certissuer.pfx to ADFS as a valid token signing certificate.

Using ADFS as an Identity Provider (and Ceptor as Service Provider / Relying Party)

You setup Ceptor to use ADFS as a relying party this is done by configuring an authentication plugin on a Ceptor Session Controller, which can accept a SAML token (potentially wrapped in WS-Federation/WS-Trust) issued by ADFS, and use that is credentials for authorizing a user.

Initial Configuration Steps

To configure Ceptor to use ADFS as an Identity Provider, you will need to first setup ADFS 1.0 or 2.0 (2.0 is strongly recommended).

In ADFS, setup Ceptor as a Relying Party – refer to Microsofts configuration guides for details. You will need to configure an URL and and Identifier – e.g. “https://www.ceptor.io/adfs” it is safe to configure the same value for both.

Note: If you use a .NET login application, the basic sample delivered with Ceptor matches the URL https://www.ceptor.io/adfs.aspx

Then you need to add an authentication plugin to Ceptor Session Controller, either use dk.itp.portalprotect.saml.ADFSSamlSSOAuthPlugin or you can use and modify the version provided in source code form included in the PortalProtect_Samples eclipse project within the Ceptor distribution.

Example in portalprotect-configuration.xml:

<property name="server.authenticationplugins" value="...<existing providers>; dk.itp.portalprotect.saml.ADFSSamlSSOAuthPlugin" description="The list of authentication plugins (classes) to load"/>

ADFSSamlSSOAuthPlugin Configuration of Identity Providers

The authentication plugin supports a number of configuration entries for each identity provider;

Name

Value

websso.identityProviders

Lists the identity providers available, separated by semicolon.


The following all start with websso.idp.<idp>.


<idp> is replaced with the name of the identity provider, as configured in websso.identityProviders

signerCertificates

Lists one or more certificates that the SAML token issued by the identityprovider can be signed with. The entry most point to files containing certificates in either .cer og .p7b format.

useSubjectAsUserid

If true, and if subject is sent by IDP, the subject will be used as user ID by Ceptor.

useridAttributeName

If configured, and a SAML attribute is sent with this name, then the value of the attribute will be used as userid.

usernameAttributeName

If not empty, the value of the corresponding SAML attribute will be used as user name.

roleAttributeName

If specified, any values defined for this attribute name will be added as user groups / roles in the Ceptor session for the authenticated user.

rolePattern

Only roles matching this pattern will be added as user groups – use ? and * as wildcard | to separate multiple matches, and ^ to negate the match e.g. “^Admin|*Administrator*” allows all groups except Admin and any group with the name Administrator as part of it.

attributesToStoreInSession

Pattern matching the attributes from the SAML ticket that will be stored in the session as state variables. Attributes with multiple values will be concatenated and stored as a single value separated by semicolon

url

URL to ADFS, usually https://<hostname>/adfs/ls/ – allows the login application to redirect to ask for a SAML token wrapped in WS-Federation/WS-Trust.

expectedAudiencePatternWhen verifying a SAML response from an identity provider, this is the pattern that the audience must match - wildcards and | are supported to specify multiple valid entries.

displayName

Display name for this Identity Provider – can be used by login application to let user select which identity provider to use, if that is required.

identifier

Identifier to specify on the redirect URL to the IDP – identifies this particular application as the Relaying Party – must match the configuration in ADFS.

knownIPs

Can be used by the login application to automatically select an identity provider to use based on the source IP address of the client.

acceptedServerCertificates

List of files containing valid CA/SSL server certificates, if the default trusted cacerts list in the JRE is not enough.

verifyServerCert

Set to false to disable verification of SSL server certificate

verifySSLHostname

Set to false to disable hostname verification – if true, hostname must match the name in the certificate.

metadataurlThe URL to fetch federation metadata from - the list of accepted server certificates are then retrieved from this URL.
metadata_XML_Instead of loading the metadata online from the URL above, it can be specified here as a string.
encryptioncertificateSpecify a certificate to be used for encryption - if metadata contains encryption certificate, it will used.

keystore.provider

Name of keystore JCE provider, default is “BC”
keystore.typeKeystore type, default is “PKCS12”
keystore.fileKeystore filename – the keystore must contain both the private key to use when signing the SAML token, and the certificate to include in the token.
keystore.passwordKeystore password – can be optionally encrypted.
keystore.privkeyaliasAlias name of the private key, or blank to use the first private key found in the keystore.
keystore.certaliasAlias name of the certificate, or blank to use the first available certificate found in the keystore.
sp_metadata_XML_Template for serviceprovider metadata, which can be retrieved online
samlrequest_XML_Template for SAML request

Note that for all attribute names, e.g. useridAttributeName or roleAttributeName, multiple different values separated with semicolon can be specified – the first name that matches an existing attribute within the SAML response token will be used.

Example:

<property name="websso.idp.local.usernameAttributeName" value="name;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"/>

In this case, if the SAML response contains an attribute named “name” it will be used as username, otherwise if the SAML response contains an attribute named “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name” then it will be used for the username.

keystore.* properties are used to specify which key/certificate to use when signing SP metadata.

Example configuration in portalprotect-configuration.xml:

<group name="websso" description="SAML Web SSO - e.g. with Microsoft ADFS">
  <property name="websso.identityProviders" value="local" description="Semicolon separated list of identity providers"/>
  <property name="websso.idp.local.attributesToStoreInSession" value="*" description="Any SAML attributes matching this pattern will be added to the session"/>
  <property name="websso.idp.local.displayName" value="Local Ceptor Test" description="Display name of Identity Provider"/>
  <property name="websso.idp.local.identifier" value="https://www.portalprotect.dk/adfs" description="Identifier which identifies us to the Identity Provider"/>
  <property name="websso.idp.local.keystore.certalias" value="" description="Alias of certificate within keystore"/>
  <property name="websso.idp.local.keystore.file" value="${portalprotect.home}/config/x509/issuer/certissuer.pfx" description="Name of keystore containing private key and certificate to use when signing or decrypting SAML"/>
  <property name="websso.idp.local.keystore.password" value="password" description="Password for keystore"/>
  <property name="websso.idp.local.keystore.privkeyalias" value="" description="Alias of private key within keystore"/>
  <property name="websso.idp.local.keystore.provider" value="BC" description="Name of JCE provider"/>
  <property name="websso.idp.local.keystore.type" value="PKCS12" description="Keystore type"/>
  <property name="websso.idp.local.knownIPs" value="192.168.200.*|127.0.0.1" description="Expression matching known IPs for this provider"/>
  <property name="websso.idp.local.metadataurlXXXX" value="https://192.168.1.142/FederationMetadata/2007-06/FederationMetadata.xml" description=""/>
  <property name="websso.idp.local.roleAttributeName" value="role;http://schemas.microsoft.com/ws/2008/06/identity/claims/role" description="SAML attribute to use for user groups/roles"/>
  <property name="websso.idp.local.rolePattern" value="*" description="Only roles matching this pattern will be added to the session"/>
  <property name="websso.idp.local.samlrequest_XML_" description="SAML2 request template - used when generating SAML request to send to identity provider">
<![CDATA[<samlp:AuthnRequest ID="%{uuid}"
	Version="2.0" IssueInstant="%{issueinstant}" Destination="https://www.pptest.dk:4443/adfs"
	Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
	<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://www.portalprotect.dk/adfs</Issuer>
	<samlp:NameIDPolicy
		Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
		AllowCreate="true" />
</samlp:AuthnRequest>]]></property>
			<property name="websso.idp.local.signerCertificates" value="${portalprotect.home}/config/saml/local.cer" description="List of trusted tokensigning certificates for this provider"/>
			<property name="websso.idp.local.sp_metadata_XML_" description="SAML ServiceProvider Metadata - can be generated and imported at the identity provider">
<![CDATA[<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
					 xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                     validUntil="%{validuntil}"
                     cacheDuration="PT1440M"
                     entityID="317190f9-efec-4307-beb9-7f8380a8ae16">
    <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <md:KeyDescriptor use="signing">
         <ds:KeyInfo>
            <ds:X509Data>
               <ds:X509Certificate>%{signcert}</ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
      </md:KeyDescriptor>
      <md:KeyDescriptor use="encryption">
         <ds:KeyInfo>
            <ds:X509Data>
               <ds:X509Certificate>%{encryptcert}</ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
      </md:KeyDescriptor>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                                Location="https://my.server.name/logout" />
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                Location="https://my.server.name/logout" />
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                     Location="https://my.server.name/adfs"
                                     index="1" />
		<md:AttributeConsumingService index="0" isDefault="true">
		  <md:ServiceName xml:lang="da">SP</md:ServiceName>
		  <md:RequestedAttribute Name="dk:gov:saml:attribute:SpecVer" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="true" />
		  <md:RequestedAttribute Name="dk:gov:saml:attribute:AssuranceLevel" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" isRequired="true" />
		</md:AttributeConsumingService>
    </md:SPSSODescriptor>
    <md:Organization>
       <md:OrganizationName xml:lang="en-US">My organisation</md:OrganizationName>
       <md:OrganizationDisplayName xml:lang="en-US">My org</md:OrganizationDisplayName>
       <md:OrganizationURL xml:lang="en-US">https://my.server.name</md:OrganizationURL>
    </md:Organization>
    <md:ContactPerson contactType="technical">
        <md:GivenName>Techcontact</md:GivenName>
        <md:EmailAddress>tech@mail.dk</md:EmailAddress>
    </md:ContactPerson>
    <md:ContactPerson contactType="support">
        <md:GivenName>support</md:GivenName>
        <md:EmailAddress>support@mail.dk</md:EmailAddress>
    </md:ContactPerson>
</md:EntityDescriptor>
]]></property>
  <property name="websso.idp.local.url" value="https://192.168.1.142/adfs/ls" description="URL of ADFS ws-federation token issuer"/>
  <property name="websso.idp.local.useSubjectAsUserid" value="true" description="If true, and if subject is present in SAML; it is used as userid"/>
  <property name="websso.idp.local.useridAttributeName" value="upn;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" description="SAML attribute to use for userid"/>
  <property name="websso.idp.local.usernameAttributeName" value="name;http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" description="SAML attribute to use for userid"/>
  <property name="websso.idp.local.verifySSLHostname" value="false" description="Set to false to skip SSL server hostname validation"/>
  <property name="websso.idp.local.verifyServerCert" value="false" description="Set to false to skip SSL server certificate validation"/>
</group>

The above configuration contains an example of how to configure a single Identity Provider.

Federation Metadata

This section describes how to generate and access federation metadata for use by both Service Providers and Identity Providers.

IDP Metadata

Starting with version 5.71.0, you can generate federation metadata dynamically by specifying websso.sp.xxxx.idp_metadata_XML_ to create metadata meant for an IDP to use with configuration for a specific SP.

Below is an example of IDP metadata:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="%{validuntil}" cacheDuration="PT1440M" entityID="http://www.portalprotect.dk/adfs/services/trust">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>%{signcert}</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>%{encryptcert}</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.my.server/logoff"/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.my.server"/>
  </md:IDPSSODescriptor>
  <md:Organization>
    <md:OrganizationName xml:lang="en-US">orgname</md:OrganizationName>
    <md:OrganizationDisplayName xml:lang="en-US">orgdispname</md:OrganizationDisplayName>
    <md:OrganizationURL xml:lang="en-US">http://my.org</md:OrganizationURL>
  </md:Organization>
  <md:ContactPerson contactType="technical">
    <md:GivenName>techname</md:GivenName>
    <md:EmailAddress>tech@mail.dk</md:EmailAddress>
  </md:ContactPerson>
  <md:ContactPerson contactType="support">
    <md:GivenName>support name</md:GivenName>
    <md:EmailAddress>support@mail.dk</md:EmailAddress>
  </md:ContactPerson>
</md:EntityDescriptor>

Notice that there ar ea few macros that will be replaced at runtime with the appropriate values;

  • %{validuntil} A timestamp set to 24 hours in the future.
  • %{signcert} and %{encryptcert} Replace with the Base64 encoded version of the X509 certificate.

You can get this metadata using the gateway, by calling an URL where the ADFS/WebSSO authentication plugin is configured - you need to provide the service provider name, and one of two request parameters - either metadataunsigned or metadatasigned to request either a signed or unsigned version of the metadata.

Example:

https://localhost:8443/adfs?spname=local&metadataunsigned

<md:EntityDescriptor validUntil="2018-03-26T19:42:50.957+02:00"
	cacheDuration="PT1440M" entityID="http://www.portalprotect.dk/adfs/services/trust">
	<md:IDPSSODescriptor WantAuthnRequestsSigned="false"
		protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
		<md:KeyDescriptor use="signing">
			<ds:KeyInfo>
				<ds:X509Data>
<ds:X509Certificate>MIIFYDCCA0igAwIBAgIBKjANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJESzEXMBUGA1UECgwOQXNzZWNvIERhbm1hcmsxGTAXBgNVBAMMEEFzc2VjbyBUZXN0IFJvb3QwHhcNMTMwNTE2MjEyNDQ0WhcNMzcwMTMxMjMwMDAwWjBBMQswCQYDVQQGEwJESzEXMBUGA1UECgwOQXNzZWNvIERhbm1hcmsxGTAXBgNVBAMMEEFzc2VjbyBUZXN0IFJvb3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCSj5I4UePOIhrE0jpBijP37fJvhkdqY/Zulmnjyd/XW6w0q1mUu4n753j7i+Ypf3XOxgwUqpKl0d4lo7p6k1MPfbM5a7BpInIi0V2kU7l+J8sXeOakuDpexKTkF0Z87tDiODj435M+sP9JHhZOtK+IzGWa2h6YsT1JKgPB++qaUracsLgo0wjZIJCrfvgc9wzjXDhnxv7Mvj96odZUVZnAgqloH6uvfDiEYmR7vEzJDJ5lbzIZZ/DpHD1NtCsD1mPSyXmBhGlnpYvGEnX6E7ifF3FSZ7c/Xmc9TJfZnvpOip98pUfWQ6DLGXAsnQOpByJFXEGR0flJw+OUFm0Cb8G9fXqK5efw9nW+Kr8UqJV01+/D9aERJA1jEM6zeE9UEH+vrwGLzETa4dwu7zKetAc6BOFNZQFxrk91YjPbu7VY5RKRNW7L7HV8g7NhbP0fimUEbb4COUBQS3nNLCbbY2jTGKTI/AeauZRg3+tPgluca6eZUOGqx1VRGNH4Srvga1z+utgnHrAq09a1eKoNVRshmmm8oGLe6UHvaink/SHN6y9fTCYHm+6fRK6UfhzRZqKoS5ZlX7r6J9BgeXeqKpIuHF/MlTtOAQ6Qa/VrxAPuTWHqXp09srhbnd9wMFLBl5ca/YA9hAvHFixjSULz24SGQ5TbSypqxuGOipFmcbQdtQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBJjA+BgNVHSUBAf8ENDAyBggrBgEFBQcDAQYIKwYBBQUHAwQGCCsGAQUFBwMIBggrBgEFBQcDAgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggIBADnoyyWcELomvXIEINnrf+tfiE3UYymswmqXvuuf4Fuz/QfvfPaXKcaPB1/4HWMAbn3vUvxoSIjI6YkaOSCJuJpLvHkxohTbLkJ7dalTAvfW3ONxOHyBxgGOfcG7gK9/wZD0cnYkSK4otZ13/8RdzuMAG/fFq/j2fSADxur6DU+nzP9dKhy7tbTaRs/YD0OrhPSaUTTZUo2wEwkdhZblX2YZGVKWZazRoX3vagWIvDGxDBPlubvG7tDXzsTxFX6nqXqxKCbssRXEup9p1XcMJPhKwLTllDn6uom0kcbfX2BOf/fnBBf9AOyfNLVY/g2o6mk+smQQcPq8LIchrMkqT6SCi5347/o84Jad8HV45cIFEAa1IHUv6oEJCAQJKSclUNbKfk+xMvUta8dVhWBL8g/fA/SHp4OvzjB54Gl2vPj5Lxue08ZXlH7iidn0AELC6QR3whZph4UG3/yvLe21fZDpLSFLKCWgJAustZw5ePo/d77DunRBQ6CSfMWXDK0T2aUqDap8SfzuCEV1xoVtvVJ4m78VOhkD/yVC+fJ3pBlltKNQiuUrUfXI/pX+r2Ay80AVtwhsD/tGxgpHtaGkq5sC0agSbM/4FkCepoAfBdcaJgKLIcF3fLRIGFQdJP99fnFQ9Qe0BZi5sKlOyq5dbFebmBBm+lH/s/AlEdod4zDU</ds:X509Certificate>
				</ds:X509Data>
			</ds:KeyInfo>
		</md:KeyDescriptor>
		<md:KeyDescriptor use="encryption">
			<ds:KeyInfo>
				<ds:X509Data>				<ds:X509Certificate>MIIFYDCCA0igAwIBAgIBKjANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJESzEXMBUGA1UECgwOQXNzZWNvIERhbm1hcmsxGTAXBgNVBAMMEEFzc2VjbyBUZXN0IFJvb3QwHhcNMTMwNTE2MjEyNDQ0WhcNMzcwMTMxMjMwMDAwWjBBMQswCQYDVQQGEwJESzEXMBUGA1UECgwOQXNzZWNvIERhbm1hcmsxGTAXBgNVBAMMEEFzc2VjbyBUZXN0IFJvb3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCSj5I4UePOIhrE0jpBijP37fJvhkdqY/Zulmnjyd/XW6w0q1mUu4n753j7i+Ypf3XOxgwUqpKl0d4lo7p6k1MPfbM5a7BpInIi0V2kU7l+J8sXeOakuDpexKTkF0Z87tDiODj435M+sP9JHhZOtK+IzGWa2h6YsT1JKgPB++qaUracsLgo0wjZIJCrfvgc9wzjXDhnxv7Mvj96odZUVZnAgqloH6uvfDiEYmR7vEzJDJ5lbzIZZ/DpHD1NtCsD1mPSyXmBhGlnpYvGEnX6E7ifF3FSZ7c/Xmc9TJfZnvpOip98pUfWQ6DLGXAsnQOpByJFXEGR0flJw+OUFm0Cb8G9fXqK5efw9nW+Kr8UqJV01+/D9aERJA1jEM6zeE9UEH+vrwGLzETa4dwu7zKetAc6BOFNZQFxrk91YjPbu7VY5RKRNW7L7HV8g7NhbP0fimUEbb4COUBQS3nNLCbbY2jTGKTI/AeauZRg3+tPgluca6eZUOGqx1VRGNH4Srvga1z+utgnHrAq09a1eKoNVRshmmm8oGLe6UHvaink/SHN6y9fTCYHm+6fRK6UfhzRZqKoS5ZlX7r6J9BgeXeqKpIuHF/MlTtOAQ6Qa/VrxAPuTWHqXp09srhbnd9wMFLBl5ca/YA9hAvHFixjSULz24SGQ5TbSypqxuGOipFmcbQdtQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBJjA+BgNVHSUBAf8ENDAyBggrBgEFBQcDAQYIKwYBBQUHAwQGCCsGAQUFBwMIBggrBgEFBQcDAgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggIBADnoyyWcELomvXIEINnrf+tfiE3UYymswmqXvuuf4Fuz/QfvfPaXKcaPB1/4HWMAbn3vUvxoSIjI6YkaOSCJuJpLvHkxohTbLkJ7dalTAvfW3ONxOHyBxgGOfcG7gK9/wZD0cnYkSK4otZ13/8RdzuMAG/fFq/j2fSADxur6DU+nzP9dKhy7tbTaRs/YD0OrhPSaUTTZUo2wEwkdhZblX2YZGVKWZazRoX3vagWIvDGxDBPlubvG7tDXzsTxFX6nqXqxKCbssRXEup9p1XcMJPhKwLTllDn6uom0kcbfX2BOf/fnBBf9AOyfNLVY/g2o6mk+smQQcPq8LIchrMkqT6SCi5347/o84Jad8HV45cIFEAa1IHUv6oEJCAQJKSclUNbKfk+xMvUta8dVhWBL8g/fA/SHp4OvzjB54Gl2vPj5Lxue08ZXlH7iidn0AELC6QR3whZph4UG3/yvLe21fZDpLSFLKCWgJAustZw5ePo/d77DunRBQ6CSfMWXDK0T2aUqDap8SfzuCEV1xoVtvVJ4m78VOhkD/yVC+fJ3pBlltKNQiuUrUfXI/pX+r2Ay80AVtwhsD/tGxgpHtaGkq5sC0agSbM/4FkCepoAfBdcaJgKLIcF3fLRIGFQdJP99fnFQ9Qe0BZi5sKlOyq5dbFebmBBm+lH/s/AlEdod4zDU</ds:X509Certificate>
				</ds:X509Data>
			</ds:KeyInfo>
		</md:KeyDescriptor>
		<md:SingleLogoutService
			Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
			Location="https://login.my.server/logoff" />
		<md:SingleSignOnService
			Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
			Location="https://login.my.server" />
	</md:IDPSSODescriptor>
	<md:Organization>
		<md:OrganizationName xml:lang="en-US">orgname</md:OrganizationName>
		<md:OrganizationDisplayName xml:lang="en-US">orgdispname</md:OrganizationDisplayName>
		<md:OrganizationURL xml:lang="en-US">http://my.org</md:OrganizationURL>
	</md:Organization>
	<md:ContactPerson contactType="technical">
		<md:GivenName>techname</md:GivenName>
		<md:EmailAddress>tech@mail.dk</md:EmailAddress>
	</md:ContactPerson>
	<md:ContactPerson contactType="support">
		<md:GivenName>support name</md:GivenName>
		<md:EmailAddress>support@mail.dk</md:EmailAddress>
	</md:ContactPerson>
</md:EntityDescriptor>


And the signed information: https://localhost:8443/adfs?spname=local&metadatasigned

<md:EntityDescriptor cacheDuration="PT1440M"
	entityID="http://www.portalprotect.dk/adfs/services/trust" validUntil="2018-03-26T19:45:35.637+02:00">
	<md:IDPSSODescriptor WantAuthnRequestsSigned="false"
		protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
		<md:KeyDescriptor use="signing">
			<ds:KeyInfo>
				<ds:X509Data>
					<ds:X509Certificate>MIIFYDCCA0igAwIBAgIBKjANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJESzEXMBUGA1UECgwOQXNzZWNvIERhbm1hcmsxGTAXBgNVBAMMEEFzc2VjbyBUZXN0IFJvb3QwHhcNMTMwNTE2MjEyNDQ0WhcNMzcwMTMxMjMwMDAwWjBBMQswCQYDVQQGEwJESzEXMBUGA1UECgwOQXNzZWNvIERhbm1hcmsxGTAXBgNVBAMMEEFzc2VjbyBUZXN0IFJvb3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCSj5I4UePOIhrE0jpBijP37fJvhkdqY/Zulmnjyd/XW6w0q1mUu4n753j7i+Ypf3XOxgwUqpKl0d4lo7p6k1MPfbM5a7BpInIi0V2kU7l+J8sXeOakuDpexKTkF0Z87tDiODj435M+sP9JHhZOtK+IzGWa2h6YsT1JKgPB++qaUracsLgo0wjZIJCrfvgc9wzjXDhnxv7Mvj96odZUVZnAgqloH6uvfDiEYmR7vEzJDJ5lbzIZZ/DpHD1NtCsD1mPSyXmBhGlnpYvGEnX6E7ifF3FSZ7c/Xmc9TJfZnvpOip98pUfWQ6DLGXAsnQOpByJFXEGR0flJw+OUFm0Cb8G9fXqK5efw9nW+Kr8UqJV01+/D9aERJA1jEM6zeE9UEH+vrwGLzETa4dwu7zKetAc6BOFNZQFxrk91YjPbu7VY5RKRNW7L7HV8g7NhbP0fimUEbb4COUBQS3nNLCbbY2jTGKTI/AeauZRg3+tPgluca6eZUOGqx1VRGNH4Srvga1z+utgnHrAq09a1eKoNVRshmmm8oGLe6UHvaink/SHN6y9fTCYHm+6fRK6UfhzRZqKoS5ZlX7r6J9BgeXeqKpIuHF/MlTtOAQ6Qa/VrxAPuTWHqXp09srhbnd9wMFLBl5ca/YA9hAvHFixjSULz24SGQ5TbSypqxuGOipFmcbQdtQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBJjA+BgNVHSUBAf8ENDAyBggrBgEFBQcDAQYIKwYBBQUHAwQGCCsGAQUFBwMIBggrBgEFBQcDAgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggIBADnoyyWcELomvXIEINnrf+tfiE3UYymswmqXvuuf4Fuz/QfvfPaXKcaPB1/4HWMAbn3vUvxoSIjI6YkaOSCJuJpLvHkxohTbLkJ7dalTAvfW3ONxOHyBxgGOfcG7gK9/wZD0cnYkSK4otZ13/8RdzuMAG/fFq/j2fSADxur6DU+nzP9dKhy7tbTaRs/YD0OrhPSaUTTZUo2wEwkdhZblX2YZGVKWZazRoX3vagWIvDGxDBPlubvG7tDXzsTxFX6nqXqxKCbssRXEup9p1XcMJPhKwLTllDn6uom0kcbfX2BOf/fnBBf9AOyfNLVY/g2o6mk+smQQcPq8LIchrMkqT6SCi5347/o84Jad8HV45cIFEAa1IHUv6oEJCAQJKSclUNbKfk+xMvUta8dVhWBL8g/fA/SHp4OvzjB54Gl2vPj5Lxue08ZXlH7iidn0AELC6QR3whZph4UG3/yvLe21fZDpLSFLKCWgJAustZw5ePo/d77DunRBQ6CSfMWXDK0T2aUqDap8SfzuCEV1xoVtvVJ4m78VOhkD/yVC+fJ3pBlltKNQiuUrUfXI/pX+r2Ay80AVtwhsD/tGxgpHtaGkq5sC0agSbM/4FkCepoAfBdcaJgKLIcF3fLRIGFQdJP99fnFQ9Qe0BZi5sKlOyq5dbFebmBBm+lH/s/AlEdod4zDU</ds:X509Certificate>
				</ds:X509Data>
			</ds:KeyInfo>
		</md:KeyDescriptor>
		<md:KeyDescriptor use="encryption">
			<ds:KeyInfo>
				<ds:X509Data>
					<ds:X509Certificate>MIIFYDCCA0igAwIBAgIBKjANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJESzEXMBUGA1UECgwOQXNzZWNvIERhbm1hcmsxGTAXBgNVBAMMEEFzc2VjbyBUZXN0IFJvb3QwHhcNMTMwNTE2MjEyNDQ0WhcNMzcwMTMxMjMwMDAwWjBBMQswCQYDVQQGEwJESzEXMBUGA1UECgwOQXNzZWNvIERhbm1hcmsxGTAXBgNVBAMMEEFzc2VjbyBUZXN0IFJvb3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCSj5I4UePOIhrE0jpBijP37fJvhkdqY/Zulmnjyd/XW6w0q1mUu4n753j7i+Ypf3XOxgwUqpKl0d4lo7p6k1MPfbM5a7BpInIi0V2kU7l+J8sXeOakuDpexKTkF0Z87tDiODj435M+sP9JHhZOtK+IzGWa2h6YsT1JKgPB++qaUracsLgo0wjZIJCrfvgc9wzjXDhnxv7Mvj96odZUVZnAgqloH6uvfDiEYmR7vEzJDJ5lbzIZZ/DpHD1NtCsD1mPSyXmBhGlnpYvGEnX6E7ifF3FSZ7c/Xmc9TJfZnvpOip98pUfWQ6DLGXAsnQOpByJFXEGR0flJw+OUFm0Cb8G9fXqK5efw9nW+Kr8UqJV01+/D9aERJA1jEM6zeE9UEH+vrwGLzETa4dwu7zKetAc6BOFNZQFxrk91YjPbu7VY5RKRNW7L7HV8g7NhbP0fimUEbb4COUBQS3nNLCbbY2jTGKTI/AeauZRg3+tPgluca6eZUOGqx1VRGNH4Srvga1z+utgnHrAq09a1eKoNVRshmmm8oGLe6UHvaink/SHN6y9fTCYHm+6fRK6UfhzRZqKoS5ZlX7r6J9BgeXeqKpIuHF/MlTtOAQ6Qa/VrxAPuTWHqXp09srhbnd9wMFLBl5ca/YA9hAvHFixjSULz24SGQ5TbSypqxuGOipFmcbQdtQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBJjA+BgNVHSUBAf8ENDAyBggrBgEFBQcDAQYIKwYBBQUHAwQGCCsGAQUFBwMIBggrBgEFBQcDAgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggIBADnoyyWcELomvXIEINnrf+tfiE3UYymswmqXvuuf4Fuz/QfvfPaXKcaPB1/4HWMAbn3vUvxoSIjI6YkaOSCJuJpLvHkxohTbLkJ7dalTAvfW3ONxOHyBxgGOfcG7gK9/wZD0cnYkSK4otZ13/8RdzuMAG/fFq/j2fSADxur6DU+nzP9dKhy7tbTaRs/YD0OrhPSaUTTZUo2wEwkdhZblX2YZGVKWZazRoX3vagWIvDGxDBPlubvG7tDXzsTxFX6nqXqxKCbssRXEup9p1XcMJPhKwLTllDn6uom0kcbfX2BOf/fnBBf9AOyfNLVY/g2o6mk+smQQcPq8LIchrMkqT6SCi5347/o84Jad8HV45cIFEAa1IHUv6oEJCAQJKSclUNbKfk+xMvUta8dVhWBL8g/fA/SHp4OvzjB54Gl2vPj5Lxue08ZXlH7iidn0AELC6QR3whZph4UG3/yvLe21fZDpLSFLKCWgJAustZw5ePo/d77DunRBQ6CSfMWXDK0T2aUqDap8SfzuCEV1xoVtvVJ4m78VOhkD/yVC+fJ3pBlltKNQiuUrUfXI/pX+r2Ay80AVtwhsD/tGxgpHtaGkq5sC0agSbM/4FkCepoAfBdcaJgKLIcF3fLRIGFQdJP99fnFQ9Qe0BZi5sKlOyq5dbFebmBBm+lH/s/AlEdod4zDU</ds:X509Certificate>
				</ds:X509Data>
			</ds:KeyInfo>
		</md:KeyDescriptor>
		<md:SingleLogoutService
			Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
			Location="https://login.my.server/logoff" />
		<md:SingleSignOnService
			Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
			Location="https://login.my.server" />
	</md:IDPSSODescriptor>
	<md:Organization>
		<md:OrganizationName xml:lang="en-US">orgname</md:OrganizationName>
		<md:OrganizationDisplayName xml:lang="en-US">orgdispname</md:OrganizationDisplayName>
		<md:OrganizationURL xml:lang="en-US">http://my.org</md:OrganizationURL>
	</md:Organization>
	<md:ContactPerson contactType="technical">
		<md:GivenName>techname</md:GivenName>
		<md:EmailAddress>tech@mail.dk</md:EmailAddress>
	</md:ContactPerson>
	<md:ContactPerson contactType="support">
		<md:GivenName>support name</md:GivenName>
		<md:EmailAddress>support@mail.dk</md:EmailAddress>
	</md:ContactPerson>
	<ds:Signature Id="sid15219999356525">
		<ds:SignedInfo>
			<ds:CanonicalizationMethod
				Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
			<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
			<ds:Reference URI="">
				<ds:Transforms>
					<ds:Transform
						Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
					<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
				</ds:Transforms>
				<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
				<ds:DigestValue>ly9Q7e9NDlOFRD9YM52xffcnRvI=</ds:DigestValue>
			</ds:Reference>
		</ds:SignedInfo>
		<ds:SignatureValue>U0j0WxzrADsjh2fzfYIKhRbhKMv9dUTBSny/arJ/HXwmCM4qHKqP7zQLhtjpxffWR7P7EUL/trdR
			gyZ/0j61geYVXsnl6lxLxBafnQEcKvJH/jFKziucS3XLnZGJsL5vNpOn972pEuPinjXea+iScB/d
			IDB3JpGxPqkLSKyKs0NVokku5cwcUOgBQQSp+ambt60dUSkF+jC2xzM2CBm6FaWcX1jIVCpd23oQ
			yhDZKRD+COxFCcHorB53UH5A7Kc4ufVBaNx6UaMoBCzY6d/5f9KGT63Vz2sUIzwKmBJ6ba5NaAFC
			p2p/RoardlRf4l4tF4AzTxhnfCe7Vhpug0UuGPJpK+Vd0iZiBGl5aDI0iR7V3tTW6N7kMn8tyJyF
			DzlXcLrqAWXpZkqKNHomPtxc+MZ0VoRmcoYXtfqgXRd6dY7S1ejQTGM7fXH447K2fKFDFqhFdxz3
			Es7Umx0p/IhiKSBuqxxo5FTp9HZhqaYy+hdn+qaDI7Fqxp7MDUzDk5u5u03lNXHkTOn8zyt4ctel
			pJPfDPjomjem1PwYegStOkVWvHw0ViqIDoVgH4JJ29mvGJYKYKxe7Eho7n6zMvA67jM3AL9Nb9hF
			mDo5jc9t4D5Hh8jO2KoWn7IbBAT/kuQfToisMvUIBF604QcMyozgkmTrFNH4NnVak7CmNqcOYCo=</ds:SignatureValue>
		<ds:KeyInfo>
			<ds:X509Data>
				<ds:X509Certificate>MIIFYDCCA0igAwIBAgIBKjANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJESzEXMBUGA1UECgwO
					QXNzZWNvIERhbm1hcmsxGTAXBgNVBAMMEEFzc2VjbyBUZXN0IFJvb3QwHhcNMTMwNTE2MjEyNDQ0
					WhcNMzcwMTMxMjMwMDAwWjBBMQswCQYDVQQGEwJESzEXMBUGA1UECgwOQXNzZWNvIERhbm1hcmsx
					GTAXBgNVBAMMEEFzc2VjbyBUZXN0IFJvb3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
					AQCSj5I4UePOIhrE0jpBijP37fJvhkdqY/Zulmnjyd/XW6w0q1mUu4n753j7i+Ypf3XOxgwUqpKl
					0d4lo7p6k1MPfbM5a7BpInIi0V2kU7l+J8sXeOakuDpexKTkF0Z87tDiODj435M+sP9JHhZOtK+I
					zGWa2h6YsT1JKgPB++qaUracsLgo0wjZIJCrfvgc9wzjXDhnxv7Mvj96odZUVZnAgqloH6uvfDiE
					YmR7vEzJDJ5lbzIZZ/DpHD1NtCsD1mPSyXmBhGlnpYvGEnX6E7ifF3FSZ7c/Xmc9TJfZnvpOip98
					pUfWQ6DLGXAsnQOpByJFXEGR0flJw+OUFm0Cb8G9fXqK5efw9nW+Kr8UqJV01+/D9aERJA1jEM6z
					eE9UEH+vrwGLzETa4dwu7zKetAc6BOFNZQFxrk91YjPbu7VY5RKRNW7L7HV8g7NhbP0fimUEbb4C
					OUBQS3nNLCbbY2jTGKTI/AeauZRg3+tPgluca6eZUOGqx1VRGNH4Srvga1z+utgnHrAq09a1eKoN
					VRshmmm8oGLe6UHvaink/SHN6y9fTCYHm+6fRK6UfhzRZqKoS5ZlX7r6J9BgeXeqKpIuHF/MlTtO
					AQ6Qa/VrxAPuTWHqXp09srhbnd9wMFLBl5ca/YA9hAvHFixjSULz24SGQ5TbSypqxuGOipFmcbQd
					tQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBJjA+BgNVHSUBAf8ENDAy
					BggrBgEFBQcDAQYIKwYBBQUHAwQGCCsGAQUFBwMIBggrBgEFBQcDAgYIKwYBBQUHAwkwDQYJKoZI
					hvcNAQELBQADggIBADnoyyWcELomvXIEINnrf+tfiE3UYymswmqXvuuf4Fuz/QfvfPaXKcaPB1/4
					HWMAbn3vUvxoSIjI6YkaOSCJuJpLvHkxohTbLkJ7dalTAvfW3ONxOHyBxgGOfcG7gK9/wZD0cnYk
					SK4otZ13/8RdzuMAG/fFq/j2fSADxur6DU+nzP9dKhy7tbTaRs/YD0OrhPSaUTTZUo2wEwkdhZbl
					X2YZGVKWZazRoX3vagWIvDGxDBPlubvG7tDXzsTxFX6nqXqxKCbssRXEup9p1XcMJPhKwLTllDn6
					uom0kcbfX2BOf/fnBBf9AOyfNLVY/g2o6mk+smQQcPq8LIchrMkqT6SCi5347/o84Jad8HV45cIF
					EAa1IHUv6oEJCAQJKSclUNbKfk+xMvUta8dVhWBL8g/fA/SHp4OvzjB54Gl2vPj5Lxue08ZXlH7i
					idn0AELC6QR3whZph4UG3/yvLe21fZDpLSFLKCWgJAustZw5ePo/d77DunRBQ6CSfMWXDK0T2aUq
					Dap8SfzuCEV1xoVtvVJ4m78VOhkD/yVC+fJ3pBlltKNQiuUrUfXI/pX+r2Ay80AVtwhsD/tGxgpH
					taGkq5sC0agSbM/4FkCepoAfBdcaJgKLIcF3fLRIGFQdJP99fnFQ9Qe0BZi5sKlOyq5dbFebmBBm
					+lH/s/AlEdod4zDU</ds:X509Certificate>
			</ds:X509Data>
		</ds:KeyInfo>
	</ds:Signature>
</md:EntityDescriptor>


IDP Metadata

You can generate federation metadata dynamically by specifying websso.idp.xxxx.idp_metadata_XML_ to create metadata meant for a SP to use with configuration for a specific IDP.

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
					 xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                     validUntil="%{validuntil}"
                     cacheDuration="PT1440M"
                     entityID="317190f9-efec-4307-beb9-7f8380a8ae16">
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                                Location="https://my.server.name/logout" />
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                Location="https://my.server.name/logout" />
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                     Location="https://my.server.name/adfs"
                                     index="1" />
		<md:AttributeConsumingService index="0" isDefault="true">
		  <md:ServiceName xml:lang="da">SP</md:ServiceName>
		</md:AttributeConsumingService>
    </md:SPSSODescriptor>
    <md:Organization>
       <md:OrganizationName xml:lang="en-US">My organisation</md:OrganizationName>
       <md:OrganizationDisplayName xml:lang="en-US">My org</md:OrganizationDisplayName>
       <md:OrganizationURL xml:lang="en-US">https://my.server.name</md:OrganizationURL>
    </md:Organization>
    <md:ContactPerson contactType="technical">
        <md:GivenName>Techcontact</md:GivenName>
        <md:EmailAddress>tech@mail.dk</md:EmailAddress>
    </md:ContactPerson>
    <md:ContactPerson contactType="support">
        <md:GivenName>Support</md:GivenName>
        <md:EmailAddress>support@mail.dk</md:EmailAddress>
    </md:ContactPerson>
</md:EntityDescriptor>

Notice that there ar ea few macros that will be replaced at runtime with the appropriate values;

  • %{validuntil} A timestamp set to 24 hours in the future.
  • %{signcert} and %{encryptcert} Replace with the Base64 encoded version of the X509 certificate.

You can get this metadata using the gateway, by calling an URL where the ADFS/WebSSO authentication plugin is configured - you need to provide the identityprovider name, and one of two request parameters - either metadataunsigned or metadatasigned to request either a signed or unsigned version of the metadata.

Example:

https://localhost:8443/adfs?idpname=local&metadataunsigned

<md:EntityDescriptor validUntil="2018-03-26T19:51:42.112+02:00"
	cacheDuration="PT1440M" entityID="317190f9-efec-4307-beb9-7f8380a8ae16">
	<md:SPSSODescriptor AuthnRequestsSigned="true"
		WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
		<md:KeyDescriptor use="signing">
			<ds:KeyInfo>
				<ds:X509Data>
					<ds:X509Certificate>MIIFYDCCA0igAwIBAgIBKjANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJESzEXMBUGA1UECgwOQXNzZWNvIERhbm1hcmsxGTAXBgNVBAMMEEFzc2VjbyBUZXN0IFJvb3QwHhcNMTMwNTE2MjEyNDQ0WhcNMzcwMTMxMjMwMDAwWjBBMQswCQYDVQQGEwJESzEXMBUGA1UECgwOQXNzZWNvIERhbm1hcmsxGTAXBgNVBAMMEEFzc2VjbyBUZXN0IFJvb3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCSj5I4UePOIhrE0jpBijP37fJvhkdqY/Zulmnjyd/XW6w0q1mUu4n753j7i+Ypf3XOxgwUqpKl0d4lo7p6k1MPfbM5a7BpInIi0V2kU7l+J8sXeOakuDpexKTkF0Z87tDiODj435M+sP9JHhZOtK+IzGWa2h6YsT1JKgPB++qaUracsLgo0wjZIJCrfvgc9wzjXDhnxv7Mvj96odZUVZnAgqloH6uvfDiEYmR7vEzJDJ5lbzIZZ/DpHD1NtCsD1mPSyXmBhGlnpYvGEnX6E7ifF3FSZ7c/Xmc9TJfZnvpOip98pUfWQ6DLGXAsnQOpByJFXEGR0flJw+OUFm0Cb8G9fXqK5efw9nW+Kr8UqJV01+/D9aERJA1jEM6zeE9UEH+vrwGLzETa4dwu7zKetAc6BOFNZQFxrk91YjPbu7VY5RKRNW7L7HV8g7NhbP0fimUEbb4COUBQS3nNLCbbY2jTGKTI/AeauZRg3+tPgluca6eZUOGqx1VRGNH4Srvga1z+utgnHrAq09a1eKoNVRshmmm8oGLe6UHvaink/SHN6y9fTCYHm+6fRK6UfhzRZqKoS5ZlX7r6J9BgeXeqKpIuHF/MlTtOAQ6Qa/VrxAPuTWHqXp09srhbnd9wMFLBl5ca/YA9hAvHFixjSULz24SGQ5TbSypqxuGOipFmcbQdtQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBJjA+BgNVHSUBAf8ENDAyBggrBgEFBQcDAQYIKwYBBQUHAwQGCCsGAQUFBwMIBggrBgEFBQcDAgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggIBADnoyyWcELomvXIEINnrf+tfiE3UYymswmqXvuuf4Fuz/QfvfPaXKcaPB1/4HWMAbn3vUvxoSIjI6YkaOSCJuJpLvHkxohTbLkJ7dalTAvfW3ONxOHyBxgGOfcG7gK9/wZD0cnYkSK4otZ13/8RdzuMAG/fFq/j2fSADxur6DU+nzP9dKhy7tbTaRs/YD0OrhPSaUTTZUo2wEwkdhZblX2YZGVKWZazRoX3vagWIvDGxDBPlubvG7tDXzsTxFX6nqXqxKCbssRXEup9p1XcMJPhKwLTllDn6uom0kcbfX2BOf/fnBBf9AOyfNLVY/g2o6mk+smQQcPq8LIchrMkqT6SCi5347/o84Jad8HV45cIFEAa1IHUv6oEJCAQJKSclUNbKfk+xMvUta8dVhWBL8g/fA/SHp4OvzjB54Gl2vPj5Lxue08ZXlH7iidn0AELC6QR3whZph4UG3/yvLe21fZDpLSFLKCWgJAustZw5ePo/d77DunRBQ6CSfMWXDK0T2aUqDap8SfzuCEV1xoVtvVJ4m78VOhkD/yVC+fJ3pBlltKNQiuUrUfXI/pX+r2Ay80AVtwhsD/tGxgpHtaGkq5sC0agSbM/4FkCepoAfBdcaJgKLIcF3fLRIGFQdJP99fnFQ9Qe0BZi5sKlOyq5dbFebmBBm+lH/s/AlEdod4zDU</ds:X509Certificate>
				</ds:X509Data>
			</ds:KeyInfo>
		</md:KeyDescriptor>
		<md:KeyDescriptor use="encryption">
			<ds:KeyInfo>
				<ds:X509Data>
					<ds:X509Certificate>MIIFYDCCA0igAwIBAgIBKjANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJESzEXMBUGA1UECgwOQXNzZWNvIERhbm1hcmsxGTAXBgNVBAMMEEFzc2VjbyBUZXN0IFJvb3QwHhcNMTMwNTE2MjEyNDQ0WhcNMzcwMTMxMjMwMDAwWjBBMQswCQYDVQQGEwJESzEXMBUGA1UECgwOQXNzZWNvIERhbm1hcmsxGTAXBgNVBAMMEEFzc2VjbyBUZXN0IFJvb3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCSj5I4UePOIhrE0jpBijP37fJvhkdqY/Zulmnjyd/XW6w0q1mUu4n753j7i+Ypf3XOxgwUqpKl0d4lo7p6k1MPfbM5a7BpInIi0V2kU7l+J8sXeOakuDpexKTkF0Z87tDiODj435M+sP9JHhZOtK+IzGWa2h6YsT1JKgPB++qaUracsLgo0wjZIJCrfvgc9wzjXDhnxv7Mvj96odZUVZnAgqloH6uvfDiEYmR7vEzJDJ5lbzIZZ/DpHD1NtCsD1mPSyXmBhGlnpYvGEnX6E7ifF3FSZ7c/Xmc9TJfZnvpOip98pUfWQ6DLGXAsnQOpByJFXEGR0flJw+OUFm0Cb8G9fXqK5efw9nW+Kr8UqJV01+/D9aERJA1jEM6zeE9UEH+vrwGLzETa4dwu7zKetAc6BOFNZQFxrk91YjPbu7VY5RKRNW7L7HV8g7NhbP0fimUEbb4COUBQS3nNLCbbY2jTGKTI/AeauZRg3+tPgluca6eZUOGqx1VRGNH4Srvga1z+utgnHrAq09a1eKoNVRshmmm8oGLe6UHvaink/SHN6y9fTCYHm+6fRK6UfhzRZqKoS5ZlX7r6J9BgeXeqKpIuHF/MlTtOAQ6Qa/VrxAPuTWHqXp09srhbnd9wMFLBl5ca/YA9hAvHFixjSULz24SGQ5TbSypqxuGOipFmcbQdtQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBJjA+BgNVHSUBAf8ENDAyBggrBgEFBQcDAQYIKwYBBQUHAwQGCCsGAQUFBwMIBggrBgEFBQcDAgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggIBADnoyyWcELomvXIEINnrf+tfiE3UYymswmqXvuuf4Fuz/QfvfPaXKcaPB1/4HWMAbn3vUvxoSIjI6YkaOSCJuJpLvHkxohTbLkJ7dalTAvfW3ONxOHyBxgGOfcG7gK9/wZD0cnYkSK4otZ13/8RdzuMAG/fFq/j2fSADxur6DU+nzP9dKhy7tbTaRs/YD0OrhPSaUTTZUo2wEwkdhZblX2YZGVKWZazRoX3vagWIvDGxDBPlubvG7tDXzsTxFX6nqXqxKCbssRXEup9p1XcMJPhKwLTllDn6uom0kcbfX2BOf/fnBBf9AOyfNLVY/g2o6mk+smQQcPq8LIchrMkqT6SCi5347/o84Jad8HV45cIFEAa1IHUv6oEJCAQJKSclUNbKfk+xMvUta8dVhWBL8g/fA/SHp4OvzjB54Gl2vPj5Lxue08ZXlH7iidn0AELC6QR3whZph4UG3/yvLe21fZDpLSFLKCWgJAustZw5ePo/d77DunRBQ6CSfMWXDK0T2aUqDap8SfzuCEV1xoVtvVJ4m78VOhkD/yVC+fJ3pBlltKNQiuUrUfXI/pX+r2Ay80AVtwhsD/tGxgpHtaGkq5sC0agSbM/4FkCepoAfBdcaJgKLIcF3fLRIGFQdJP99fnFQ9Qe0BZi5sKlOyq5dbFebmBBm+lH/s/AlEdod4zDU</ds:X509Certificate>
				</ds:X509Data>
			</ds:KeyInfo>
		</md:KeyDescriptor>
		<md:SingleLogoutService
			Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
			Location="https://my.server.name/logout" />
		<md:SingleLogoutService
			Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://my.server.name/logout" />
		<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
		<md:AssertionConsumerService
			Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://my.server.name/adfs"
			index="1" />
		<md:AttributeConsumingService index="0"
			isDefault="true">
			<md:ServiceName xml:lang="da">SP</md:ServiceName>
			<md:RequestedAttribute Name="dk:gov:saml:attribute:SpecVer"
				NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
				isRequired="true" />
			<md:RequestedAttribute Name="dk:gov:saml:attribute:AssuranceLevel"
				NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
				isRequired="true" />
		</md:AttributeConsumingService>
	</md:SPSSODescriptor>
	<md:Organization>
		<md:OrganizationName xml:lang="en-US">My organisation</md:OrganizationName>
		<md:OrganizationDisplayName xml:lang="en-US">My org</md:OrganizationDisplayName>
		<md:OrganizationURL xml:lang="en-US">https://my.server.name</md:OrganizationURL>
	</md:Organization>
	<md:ContactPerson contactType="technical">
		<md:GivenName>Techcontact</md:GivenName>
		<md:EmailAddress>tech@mail.dk</md:EmailAddress>
	</md:ContactPerson>
	<md:ContactPerson contactType="support">
		<md:GivenName>support</md:GivenName>
		<md:EmailAddress>support@mail.dk</md:EmailAddress>
	</md:ContactPerson>
</md:EntityDescriptor>


And the signed version is available at https://localhost:8443/adfs?idpname=local&metadatasigned

<md:EntityDescriptor cacheDuration="PT1440M"
	entityID="317190f9-efec-4307-beb9-7f8380a8ae16" validUntil="2018-03-26T19:52:57.542+02:00">
	<md:SPSSODescriptor AuthnRequestsSigned="true"
		WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
		<md:KeyDescriptor use="signing">
			<ds:KeyInfo>
				<ds:X509Data>
					<ds:X509Certificate>MIIFYDCCA0igAwIBAgIBKjANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJESzEXMBUGA1UECgwOQXNzZWNvIERhbm1hcmsxGTAXBgNVBAMMEEFzc2VjbyBUZXN0IFJvb3QwHhcNMTMwNTE2MjEyNDQ0WhcNMzcwMTMxMjMwMDAwWjBBMQswCQYDVQQGEwJESzEXMBUGA1UECgwOQXNzZWNvIERhbm1hcmsxGTAXBgNVBAMMEEFzc2VjbyBUZXN0IFJvb3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCSj5I4UePOIhrE0jpBijP37fJvhkdqY/Zulmnjyd/XW6w0q1mUu4n753j7i+Ypf3XOxgwUqpKl0d4lo7p6k1MPfbM5a7BpInIi0V2kU7l+J8sXeOakuDpexKTkF0Z87tDiODj435M+sP9JHhZOtK+IzGWa2h6YsT1JKgPB++qaUracsLgo0wjZIJCrfvgc9wzjXDhnxv7Mvj96odZUVZnAgqloH6uvfDiEYmR7vEzJDJ5lbzIZZ/DpHD1NtCsD1mPSyXmBhGlnpYvGEnX6E7ifF3FSZ7c/Xmc9TJfZnvpOip98pUfWQ6DLGXAsnQOpByJFXEGR0flJw+OUFm0Cb8G9fXqK5efw9nW+Kr8UqJV01+/D9aERJA1jEM6zeE9UEH+vrwGLzETa4dwu7zKetAc6BOFNZQFxrk91YjPbu7VY5RKRNW7L7HV8g7NhbP0fimUEbb4COUBQS3nNLCbbY2jTGKTI/AeauZRg3+tPgluca6eZUOGqx1VRGNH4Srvga1z+utgnHrAq09a1eKoNVRshmmm8oGLe6UHvaink/SHN6y9fTCYHm+6fRK6UfhzRZqKoS5ZlX7r6J9BgeXeqKpIuHF/MlTtOAQ6Qa/VrxAPuTWHqXp09srhbnd9wMFLBl5ca/YA9hAvHFixjSULz24SGQ5TbSypqxuGOipFmcbQdtQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBJjA+BgNVHSUBAf8ENDAyBggrBgEFBQcDAQYIKwYBBQUHAwQGCCsGAQUFBwMIBggrBgEFBQcDAgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggIBADnoyyWcELomvXIEINnrf+tfiE3UYymswmqXvuuf4Fuz/QfvfPaXKcaPB1/4HWMAbn3vUvxoSIjI6YkaOSCJuJpLvHkxohTbLkJ7dalTAvfW3ONxOHyBxgGOfcG7gK9/wZD0cnYkSK4otZ13/8RdzuMAG/fFq/j2fSADxur6DU+nzP9dKhy7tbTaRs/YD0OrhPSaUTTZUo2wEwkdhZblX2YZGVKWZazRoX3vagWIvDGxDBPlubvG7tDXzsTxFX6nqXqxKCbssRXEup9p1XcMJPhKwLTllDn6uom0kcbfX2BOf/fnBBf9AOyfNLVY/g2o6mk+smQQcPq8LIchrMkqT6SCi5347/o84Jad8HV45cIFEAa1IHUv6oEJCAQJKSclUNbKfk+xMvUta8dVhWBL8g/fA/SHp4OvzjB54Gl2vPj5Lxue08ZXlH7iidn0AELC6QR3whZph4UG3/yvLe21fZDpLSFLKCWgJAustZw5ePo/d77DunRBQ6CSfMWXDK0T2aUqDap8SfzuCEV1xoVtvVJ4m78VOhkD/yVC+fJ3pBlltKNQiuUrUfXI/pX+r2Ay80AVtwhsD/tGxgpHtaGkq5sC0agSbM/4FkCepoAfBdcaJgKLIcF3fLRIGFQdJP99fnFQ9Qe0BZi5sKlOyq5dbFebmBBm+lH/s/AlEdod4zDU</ds:X509Certificate>
				</ds:X509Data>
			</ds:KeyInfo>
		</md:KeyDescriptor>
		<md:KeyDescriptor use="encryption">
			<ds:KeyInfo>
				<ds:X509Data>
					<ds:X509Certificate>MIIFYDCCA0igAwIBAgIBKjANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJESzEXMBUGA1UECgwOQXNzZWNvIERhbm1hcmsxGTAXBgNVBAMMEEFzc2VjbyBUZXN0IFJvb3QwHhcNMTMwNTE2MjEyNDQ0WhcNMzcwMTMxMjMwMDAwWjBBMQswCQYDVQQGEwJESzEXMBUGA1UECgwOQXNzZWNvIERhbm1hcmsxGTAXBgNVBAMMEEFzc2VjbyBUZXN0IFJvb3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCSj5I4UePOIhrE0jpBijP37fJvhkdqY/Zulmnjyd/XW6w0q1mUu4n753j7i+Ypf3XOxgwUqpKl0d4lo7p6k1MPfbM5a7BpInIi0V2kU7l+J8sXeOakuDpexKTkF0Z87tDiODj435M+sP9JHhZOtK+IzGWa2h6YsT1JKgPB++qaUracsLgo0wjZIJCrfvgc9wzjXDhnxv7Mvj96odZUVZnAgqloH6uvfDiEYmR7vEzJDJ5lbzIZZ/DpHD1NtCsD1mPSyXmBhGlnpYvGEnX6E7ifF3FSZ7c/Xmc9TJfZnvpOip98pUfWQ6DLGXAsnQOpByJFXEGR0flJw+OUFm0Cb8G9fXqK5efw9nW+Kr8UqJV01+/D9aERJA1jEM6zeE9UEH+vrwGLzETa4dwu7zKetAc6BOFNZQFxrk91YjPbu7VY5RKRNW7L7HV8g7NhbP0fimUEbb4COUBQS3nNLCbbY2jTGKTI/AeauZRg3+tPgluca6eZUOGqx1VRGNH4Srvga1z+utgnHrAq09a1eKoNVRshmmm8oGLe6UHvaink/SHN6y9fTCYHm+6fRK6UfhzRZqKoS5ZlX7r6J9BgeXeqKpIuHF/MlTtOAQ6Qa/VrxAPuTWHqXp09srhbnd9wMFLBl5ca/YA9hAvHFixjSULz24SGQ5TbSypqxuGOipFmcbQdtQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBJjA+BgNVHSUBAf8ENDAyBggrBgEFBQcDAQYIKwYBBQUHAwQGCCsGAQUFBwMIBggrBgEFBQcDAgYIKwYBBQUHAwkwDQYJKoZIhvcNAQELBQADggIBADnoyyWcELomvXIEINnrf+tfiE3UYymswmqXvuuf4Fuz/QfvfPaXKcaPB1/4HWMAbn3vUvxoSIjI6YkaOSCJuJpLvHkxohTbLkJ7dalTAvfW3ONxOHyBxgGOfcG7gK9/wZD0cnYkSK4otZ13/8RdzuMAG/fFq/j2fSADxur6DU+nzP9dKhy7tbTaRs/YD0OrhPSaUTTZUo2wEwkdhZblX2YZGVKWZazRoX3vagWIvDGxDBPlubvG7tDXzsTxFX6nqXqxKCbssRXEup9p1XcMJPhKwLTllDn6uom0kcbfX2BOf/fnBBf9AOyfNLVY/g2o6mk+smQQcPq8LIchrMkqT6SCi5347/o84Jad8HV45cIFEAa1IHUv6oEJCAQJKSclUNbKfk+xMvUta8dVhWBL8g/fA/SHp4OvzjB54Gl2vPj5Lxue08ZXlH7iidn0AELC6QR3whZph4UG3/yvLe21fZDpLSFLKCWgJAustZw5ePo/d77DunRBQ6CSfMWXDK0T2aUqDap8SfzuCEV1xoVtvVJ4m78VOhkD/yVC+fJ3pBlltKNQiuUrUfXI/pX+r2Ay80AVtwhsD/tGxgpHtaGkq5sC0agSbM/4FkCepoAfBdcaJgKLIcF3fLRIGFQdJP99fnFQ9Qe0BZi5sKlOyq5dbFebmBBm+lH/s/AlEdod4zDU</ds:X509Certificate>
				</ds:X509Data>
			</ds:KeyInfo>
		</md:KeyDescriptor>
		<md:SingleLogoutService
			Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
			Location="https://my.server.name/logout" />
		<md:SingleLogoutService
			Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://my.server.name/logout" />
		<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
		<md:AssertionConsumerService
			Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://my.server.name/adfs"
			index="1" />
		<md:AttributeConsumingService index="0"
			isDefault="true">
			<md:ServiceName xml:lang="da">SP</md:ServiceName>
			<md:RequestedAttribute Name="dk:gov:saml:attribute:SpecVer"
				NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
				isRequired="true" />
			<md:RequestedAttribute Name="dk:gov:saml:attribute:AssuranceLevel"
				NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
				isRequired="true" />
		</md:AttributeConsumingService>
	</md:SPSSODescriptor>
	<md:Organization>
		<md:OrganizationName xml:lang="en-US">My organisation</md:OrganizationName>
		<md:OrganizationDisplayName xml:lang="en-US">My org</md:OrganizationDisplayName>
		<md:OrganizationURL xml:lang="en-US">https://my.server.name</md:OrganizationURL>
	</md:Organization>
	<md:ContactPerson contactType="technical">
		<md:GivenName>Techcontact</md:GivenName>
		<md:EmailAddress>tech@mail.dk</md:EmailAddress>
	</md:ContactPerson>
	<md:ContactPerson contactType="support">
		<md:GivenName>support</md:GivenName>
		<md:EmailAddress>support@mail.dk</md:EmailAddress>
	</md:ContactPerson>
	<ds:Signature Id="sid15220003775636">
		<ds:SignedInfo>
			<ds:CanonicalizationMethod
				Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
			<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
			<ds:Reference URI="">
				<ds:Transforms>
					<ds:Transform
						Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
					<ds:Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
				</ds:Transforms>
				<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
				<ds:DigestValue>du36wcNDpl6wfWaW16S2cp+qzLM=</ds:DigestValue>
			</ds:Reference>
		</ds:SignedInfo>
		<ds:SignatureValue>P98l3wsfUOA26Zb0Wa+QNJY8Li+75bCiAjSnsLOSs48h7Gg3+SijoAXERHrEUs6YXwCjS8JD8AF1
			o0QLzXv3btD1xBD5Llf/sJaHWGJEQB+PYYiCVkl2lPUd9Uk4JwpeWBmR6ieid2xibXbck9AKWuVW
			AeJ0GOS+yZeCn67ZPYUua08aGMjRvb4BQG3mdN2BiKWSAt/jrC4GUY/Ej3YCu8L0A2hoT10aNokz
			lIzotd/rGL1uQ251ILFPi2Lt0RZQWrRpky5wUATZIrcm7eeLS+a+UeR/kkOVDUECPBvbvM6Z+usr
			6VKUMYoj+ThktVx4ou8FPM04QWqW5LObVUdlGoUbeKuKVvUHwm1hqFtpoW0HUoB3k/2MLEUMhZly
			cRrtG1oeOvrM0x5g+tmmexK8knN59Jd9GEfdriiQc9/pp0nULlcsGGeNfg3t3RGZTYP2sDlK/Xlh
			pp6Kr4A6lSHF1FIHQSnTGr2RjZTRkuk5U9KxRi4Dpu0xh6TWs8taKrlF+FX4RP1/ykpIc6JjEryC
			mpNKYoK66yQHDQpIxEKtvcM2oJIxNz4XkrcEFgo2u5rrMFT434N+41vY10jczXdtncq57kT/Jg5p
			aDWj9EDKHZSxinNd5ubv7TAZrX3Cpu2V4rdlhi9loDX3GtJWLc2EIxLCxjvoUbUWhUJVzV6y8LE=</ds:SignatureValue>
		<ds:KeyInfo>
			<ds:X509Data>
				<ds:X509Certificate>MIIFYDCCA0igAwIBAgIBKjANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJESzEXMBUGA1UECgwO
					QXNzZWNvIERhbm1hcmsxGTAXBgNVBAMMEEFzc2VjbyBUZXN0IFJvb3QwHhcNMTMwNTE2MjEyNDQ0
					WhcNMzcwMTMxMjMwMDAwWjBBMQswCQYDVQQGEwJESzEXMBUGA1UECgwOQXNzZWNvIERhbm1hcmsx
					GTAXBgNVBAMMEEFzc2VjbyBUZXN0IFJvb3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
					AQCSj5I4UePOIhrE0jpBijP37fJvhkdqY/Zulmnjyd/XW6w0q1mUu4n753j7i+Ypf3XOxgwUqpKl
					0d4lo7p6k1MPfbM5a7BpInIi0V2kU7l+J8sXeOakuDpexKTkF0Z87tDiODj435M+sP9JHhZOtK+I
					zGWa2h6YsT1JKgPB++qaUracsLgo0wjZIJCrfvgc9wzjXDhnxv7Mvj96odZUVZnAgqloH6uvfDiE
					YmR7vEzJDJ5lbzIZZ/DpHD1NtCsD1mPSyXmBhGlnpYvGEnX6E7ifF3FSZ7c/Xmc9TJfZnvpOip98
					pUfWQ6DLGXAsnQOpByJFXEGR0flJw+OUFm0Cb8G9fXqK5efw9nW+Kr8UqJV01+/D9aERJA1jEM6z
					eE9UEH+vrwGLzETa4dwu7zKetAc6BOFNZQFxrk91YjPbu7VY5RKRNW7L7HV8g7NhbP0fimUEbb4C
					OUBQS3nNLCbbY2jTGKTI/AeauZRg3+tPgluca6eZUOGqx1VRGNH4Srvga1z+utgnHrAq09a1eKoN
					VRshmmm8oGLe6UHvaink/SHN6y9fTCYHm+6fRK6UfhzRZqKoS5ZlX7r6J9BgeXeqKpIuHF/MlTtO
					AQ6Qa/VrxAPuTWHqXp09srhbnd9wMFLBl5ca/YA9hAvHFixjSULz24SGQ5TbSypqxuGOipFmcbQd
					tQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBJjA+BgNVHSUBAf8ENDAy
					BggrBgEFBQcDAQYIKwYBBQUHAwQGCCsGAQUFBwMIBggrBgEFBQcDAgYIKwYBBQUHAwkwDQYJKoZI
					hvcNAQELBQADggIBADnoyyWcELomvXIEINnrf+tfiE3UYymswmqXvuuf4Fuz/QfvfPaXKcaPB1/4
					HWMAbn3vUvxoSIjI6YkaOSCJuJpLvHkxohTbLkJ7dalTAvfW3ONxOHyBxgGOfcG7gK9/wZD0cnYk
					SK4otZ13/8RdzuMAG/fFq/j2fSADxur6DU+nzP9dKhy7tbTaRs/YD0OrhPSaUTTZUo2wEwkdhZbl
					X2YZGVKWZazRoX3vagWIvDGxDBPlubvG7tDXzsTxFX6nqXqxKCbssRXEup9p1XcMJPhKwLTllDn6
					uom0kcbfX2BOf/fnBBf9AOyfNLVY/g2o6mk+smQQcPq8LIchrMkqT6SCi5347/o84Jad8HV45cIF
					EAa1IHUv6oEJCAQJKSclUNbKfk+xMvUta8dVhWBL8g/fA/SHp4OvzjB54Gl2vPj5Lxue08ZXlH7i
					idn0AELC6QR3whZph4UG3/yvLe21fZDpLSFLKCWgJAustZw5ePo/d77DunRBQ6CSfMWXDK0T2aUq
					Dap8SfzuCEV1xoVtvVJ4m78VOhkD/yVC+fJ3pBlltKNQiuUrUfXI/pX+r2Ay80AVtwhsD/tGxgpH
					taGkq5sC0agSbM/4FkCepoAfBdcaJgKLIcF3fLRIGFQdJP99fnFQ9Qe0BZi5sKlOyq5dbFebmBBm
					+lH/s/AlEdod4zDU</ds:X509Certificate>
			</ds:X509Data>
		</ds:KeyInfo>
	</ds:Signature>
</md:EntityDescriptor>


How to configure Azure as Identity Provider

Follow the guidelines here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-custom-apps

In short, you need to go to https://manage.windowsazure.com here, click on your domain and select "Applications".

From here, click on "Add", and "Add an application my organization is developing" - select Web Application, and give at a meaningful name. Enter a "sign on url" which must match your configuration - e.g. https://localhost:8443/adfs - this URL gets added as a redirect url automatically. Also enter an App ID URL - this URL needs to be added as websso.idp.xxxx.indentifier.

Now you can click on "view endpoints" and you can copy the value of the federation document URL to the property for websso.xxxx.metadataurl and copy the ws-federation sign-on endpoint url to the property websso.xxxx.url.

Request flow using ADFS

When using ADFS with the sample application, the request flow is similar to this.

  1. User requests www.oursite.com/secret – it is configured in the dispatcher to require permissions which the user does not have, so the user is redirected to the login page.
  2. The user requests the login page, www.oursite.com/login - the login page selects the proper identity provider to use, based on the users IP address or prompts the user to specify which provider to use (a commonly used method is to prompt the user for his email address, and based upon the domain name select the proper provider).
    The login page redirects to www.oursite.com/adfs?idpname=xxxx
  3. The page at www.oursite.com/adfs queries Ceptor for the correct URL and identifier to use, and constructs the URL to redirect the user to the identity provider website (e.g. www.somewhereelse.com/adfs/ls )
  4. The user authenticates with the Identity Provider ADFS in any way it is configured to accept, this could typically be Integrated Windows Authentication or userid/password prompt. Once authenticated, ADFS redirects back to the URL specified in the relaying party configuration within IDFS.
  5. The users browser requests www.oursite.com/adfs which contains the login application – it reads the WS-Federation / SAML response token from the request, and calls login() in Ceptor – Ceptor server now validates the SAML ticket, checks the signatures and makes sure it is signed by the private key corresponding to one of the configured certificates.
    Once authenticated, the login application redirects the browser back to the original URL which the user attempted to acces.
  6. The user requests www.oursite.com/secret but he is now authenticated and the request continues normally.

Note that with the Ceptor Gateway you do not need a separate application, here you can use the WebSSO Authentication plugin instead. This will do the work that with the dispatcher requires a separate login application.

SAML Response Scripts

In order to be able to modify all aspects of a SAML response before it is signed, it is possible to specify a SAML Response script that is executed immediately after generating the SAML response string, but before it is signed.

It can optionally return a modified string containing a customized SAML response, which will then be signed and returned.

When the script is called, it has these variables available:

  • samlversion - 1 or 2 depending on which SAML type response is being generated
  • context - Script context, with additional attributes about the user context available - see below
  • input - SAML Response about to be created - can be modified and returned.

The context looks like the following:

Context
public class ScriptContext {
	/** Session Controller */
	public PTSServer sessionController;

	/** Configuration for session controller and authentication plugins */
	public Properties configuration;

	/** Session we are generating SAML responses for */
	public User session;

	/** SAML request as string, or null if no request present */
	public String samlRequest;

	/** Parsed SAML Request, or null if not present */
	public ADFSSamlRequest parsedSaml;

	/** Service Provider entry */
	public ADFSSamlSSOAuthPlugin.ServiceProviderEntry sp;
}

The context.parsedSaml attribute above has these values available:


public static class ADFSSamlRequest {
	public boolean saml2;
	public String issueInstant;
	public String requestID;
		
	// SAML 2
	public String issuer;
	public String destination;
}

© Ceptor ApS. All Rights Reserved.