ServiceProvider Element

The <serviceProvider> element contains the configuration information for the Service Provider. It specifies the ID, server, and <endpoints> for the Service Provider. It also can specify nameIdFormats, authnContexts for SAML RequestedAuthnContexts, etc., which may be necessary for some Identity Providers.

The <serviceProvider> element has two attributes that are required:

Attribute Use
id The ID of the Service Provider. This must match the Audience in AllowedAudienceUris within the Federation configuration section, and it must be a well formed URI.
server Specifies the URL of the Service Provider. Can be the same as ID.


The <serviceProvider> element can contain the following elements:

Element Use
<signingCertificate> Configuration for finding the certificate for signing purposes.
<endpoints> Configures the various endpoints the service provider exposes.
<nameIdFormats> (Optional) Allows for specifying supported NameIDFormats the service provider supports.
<authenticationContexts> (Optional) Allows for configuration of AuthnContexts the service provider supports.

SigningCertificate

The <signingCertificate> element allows for specifying the certificate and store on the hosting server from which to pull the certificate used for signing / encryption, etc.

It allows the following attributes:

Attribute Use
findValue The value to use when searching for the certificate using the designated x509FindType
storeLocation The certificate store location. Can be any of the values specified in the StoreLocation enumeration. Typically, "LocalMachine".
storeName The certificate store name. Can be any of the values specified in the StoreName enumeration. Typically, "My".
x509FindType The method by which to identify the certificate. Can be any of the values specified in the X509FindType enumeration.


It is important to note that the application must have access to the private key of the certificate in the key store. This can be done from mmc.exe and the Certificates snap-in. The private key permissions must be set to allow Read permissions for the identity the App Pool is running under. On IIS7+, this could be the IIS_IUSRS group if you are not running the App Pool under a different identity.

  <saml2>
    <serviceProvider id="urn:SPName" server="https://www.example.com">
      <signingCertificate findValue="CN=MySamlSigningCert" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName" />
    </serviceProvider>
  </saml2>

Endpoints

The <endpoints> element configures the service provider endpoints. This element must always have three <endpoint> elements defined: SignOnEndpoint, LogoutEndpoint, and Metdata endpoint.

Each <endpoint> has the following required attributes:

Attribute Use
type Determine the function of the endpoint, and must be one of "SignOn", "Logout" or "Metadata". One ServiceEndpoint of each type must be present.
localpath The address at which the endpoint is located. These should match the locations of the handlers for each type.
redirectUrl The default URL to redirect to after the handler is done executing.
index Used to define the "index" value for the endpoint when generating a metadata document. Required for metadata generation of artifactResolution endpoints.

NameIdFormats

The <nameIdFormats> element is an optional element which allows for specifying the NameIdFormats the ServiceProvider supports. It has the following attribute:

Attribute Use
allowCreate Controls the "AllowCreate" attribute on SAML requests, which may be required for some implementations. True / false value.


Note, that while multiple NameIdFormats can be added to this list, only the first is ever sent as part of an AuthnRequest (limitation of the OASIS SAML2 Specification). Other specified NameIdFormats will be output during Metadata creation as the specification allows. Most providers that require this in the AuthnRequest will specify a NameIdFormat to use.

To add NameIdFormats to the collection, use the following syntax:

  <saml2>
    <serviceProvider id="urn:SPName" server="https://www.example.com">
      ...
      <nameIdFormats allowCreate="true">
        <add format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
      </nameIdFormats>
      ...
    </serviceProvider>
  </saml2>


The following NameIdFormats are available as per the OASIS SAML2 Specification:

NameIdFormat
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
urn:oasis:names:tc:SAML:2.0:nameid-format:entity
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient

AuthenticationContexts

The <authenticationContexts> element is an optional element which allows for the Service Provider to specify the authentication contexts that it will accept from the Identity Provider. This controls the "RequestedAuthnContext" element of the SAML request, and may be required by some implementations.

The <authenticationContexts> element exposes the following attribute:

Attribute Use
comparison Specifies the comparison method used to evaluate the requested context classes or statements, one

of "exact", "minimum", "maximum", or "better". The default is "exact", if omitted.|

To add AuthnContexts to the collection, use the following syntax:

  <saml2>
    <serviceProvider id="urn:SPName" server="https://www.example.com">
      ...
      <authenticationContexts comparison="Exact">
        <add context="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" referenceType="AuthnContextClassRef"/>
      </authenticationContexts>
      ...
    </serviceProvider>
  </saml2>

Last edited Nov 1, 2015 at 6:49 AM by i8beef, version 11

Comments

twamley Aug 15, 2014 at 6:46 PM 
I stumbled on the first self-signed cert I tried to use for the SP. Turns out I had made an SSO cert instead of a Signing cert. This is what worked well for my self signed SP cert:

makecert -r -pe -n "CN=your.site.com" -b 01/01/2014 -e 01/01/2030 -eku 1.3.6.1.5.5.7.3.3 -sky signature -ss my -sr localmachine

Read up on what all the params mean here: http://msdn.microsoft.com/en-us/library/bfsktky3