Closed malnufaisi closed 2 years ago
I built the SSO integration project, I will be as IDP identity provider and our third party will be as SP services provider.
I used this code https://github.com/OTA-Insight/djangosaml2idp to prepare my Idp. everything is ok.
But I have a question how I can add claims to this generated metadata so that helps our SP use it?
here is the generated metadata file:
<ns0:EntityDescriptor entityID="http://localhost:9000/idp/metadata/" validUntil="2022-11-06T12:46:57Z"> <ns0:Extensions> <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#md5"/> <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/> <ns1:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/> <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/> <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/> </ns0:Extensions> <ns0:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="false"> <ns0:KeyDescriptor use="signing"> <ns2:KeyInfo> <ns2:X509Data> <ns2:X509Certificate> MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4= </ns2:X509Certificate> </ns2:X509Data> </ns2:KeyInfo> </ns0:KeyDescriptor> <ns0:KeyDescriptor use="encryption"> <ns2:KeyInfo> <ns2:X509Data> <ns2:X509Certificate> MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4= </ns2:X509Certificate> </ns2:X509Data> </ns2:KeyInfo> </ns0:KeyDescriptor> <ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9000/idp/slo/post/"/> <ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9000/idp/slo/redirect/"/> <ns0:NameIDFormat> urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress </ns0:NameIDFormat> <ns0:NameIDFormat> urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified </ns0:NameIDFormat> <ns0:NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:transient </ns0:NameIDFormat> <ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9000/idp/sso/post/"/> <ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9000/idp/sso/redirect/"/> </ns0:IDPSSODescriptor> </ns0:EntityDescriptor>
here is my attempt, is it correct?
first attempt: by adding AttributeConsumingService? but I am not sure about SPSSODescriptor tag?
<ns0:EntityDescriptor entityID="http://localhost:9000/idp/metadata/"> <ns0:Extensions> <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#md5"/> <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/> <ns1:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/> <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/> <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/> </ns0:Extensions> <ns0:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="true" WantAssertionsSigned="true"> <ns0:KeyDescriptor use="signing"> <ns2:KeyInfo> <ns2:X509Data> <ns2:X509Certificate> MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4= </ns2:X509Certificate> </ns2:X509Data> </ns2:KeyInfo> </ns0:KeyDescriptor> <ns0:KeyDescriptor use="encryption"> <ns2:KeyInfo> <ns2:X509Data> <ns2:X509Certificate> MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4= </ns2:X509Certificate> </ns2:X509Data> </ns2:KeyInfo> </ns0:KeyDescriptor> <ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9000/idp/slo/post/"/> <ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9000/idp/slo/redirect/"/> <ns0:NameIDFormat> urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress </ns0:NameIDFormat> <ns0:NameIDFormat> urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified </ns0:NameIDFormat> <ns0:AttributeConsumingService index="1"> <ns0:ServiceName xml:lang="en"/> <ns0:RequestedAttribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="username" isRequired="true"/> <ns0:RequestedAttribute Name="urn:oid:1.2.840.113549.1.9.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="email" isRequired="true"/> <ns0:RequestedAttribute Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="first_name" isRequired="true"/> <ns0:RequestedAttribute Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="last_name" isRequired="true"/> </ns0:AttributeConsumingService> </ns0:SPSSODescriptor> </ns0:EntityDescriptor>
second attempt: or add AttributeConsumingService to IDPSSODescriptor as below?
<ns0:EntityDescriptor entityID="http://localhost:9000/idp/metadata/" validUntil="2022-11-06T12:46:57Z"> <ns0:Extensions> <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#md5"/> <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/> <ns1:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/> <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/> <ns1:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-md5"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha224"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/> <ns1:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/> </ns0:Extensions> <ns0:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" WantAuthnRequestsSigned="false"> <ns0:KeyDescriptor use="signing"> <ns2:KeyInfo> <ns2:X509Data> <ns2:X509Certificate> MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4= </ns2:X509Certificate> </ns2:X509Data> </ns2:KeyInfo> </ns0:KeyDescriptor> <ns0:KeyDescriptor use="encryption"> <ns2:KeyInfo> <ns2:X509Data> <ns2:X509Certificate> MIID/TCCAuWgAwIBAgIUd3caFbHlYy3TQxRxYS4e/8ya0bYwDQYJKoZIhvcNAQEL BQAwgY0xCzAJBgNVBAYTAlNBMQ8wDQYDVQQIDAZSaXlhZGgxDzANBgNVBAcMBlJp eWFkaDELMAkGA1UECgwCSVQxCzAJBgNVBAsMAklUMRcwFQYDVQQDDA5sb2NhbGhv c3Q6OTAwMDEpMCcGCSqGSIb3DQEJARYabS5hbG51ZmFpc2kydGFrYW1vbC5jb20u c2EwHhcNMjExMDE3MDkzMTQwWhcNMzExMDE3MDkzMTQwWjCBjTELMAkGA1UEBhMC U0ExDzANBgNVBAgMBlJpeWFkaDEPMA0GA1UEBwwGUml5YWRoMQswCQYDVQQKDAJJ VDELMAkGA1UECwwCSVQxFzAVBgNVBAMMDmxvY2FsaG9zdDo5MDAwMSkwJwYJKoZI hvcNAQkBFhptLmFsbnVmYWlzaTJ0YWthbW9sLmNvbS5zYTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALLSHO71t9ewIWjIIQcrGlzMlDTwQ0DwQEUkYiw9 wgqRRaBrvEthraYkCB8OPho9fUORB46UxFQeYMq7r0Njdc8Zv/MRmu1uQFWwk0DT Qr39coL5528OhktEotTO0LHbSoxpATiAGfmTA/UeQ+eSYPUKKdo4Dd/UEmzz19Dq pqK2I38v6hnb41XyR71zE+W/IalvJR3p2JODAmsiN3nIP2kbdviKZiy0bXkrzODe dZmc4v4p86v3X9SH/zJ2upcA3s9dGqcBok15shzVAqJnd3uNZzRwn8ZxW36Vv6xy LBxJv/viLFH9xX8beR4h8KWrGK2rgM7KuJHo1tGrEzJmA+0CAwEAAaNTMFEwHQYD VR0OBBYEFA6pioh/oBZg8ANNThtWfGxx2mWxMB8GA1UdIwQYMBaAFA6pioh/oBZg 8ANNThtWfGxx2mWxMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB AHt4m2hdFZp/ZxxcAsUD1Acweiibq+NqmSU6LJURK7Qw/CJUQFL845RXkzbbVnhq /HEvesd0qnmLgd8qH7voHCn6tFTWLk6kw6Axj4cv0qW4PKoz37PVKgG5mNiijgXX 3VbulniOqkuXqoijNb9pZvV63TFXtzz+BkM4uivs9cu8ndKU+sqiUgZGYe+xSIcl j8qP9DeU4D5XaSYKUSOIXbLJebklxbnpnGunM6O0ZWdVwfbV6U4FwTqnZtQWHT0m A5q+hK6L9CrBBkMP+12ACbBgENF6JrsVGyBN36FdAbA/uwTsynMdwn4zMC1xefj0 6/w0SoJP54KNrj9dG7AwXq4= </ns2:X509Certificate> </ns2:X509Data> </ns2:KeyInfo> </ns0:KeyDescriptor> <ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9000/idp/slo/post/"/> <ns0:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9000/idp/slo/redirect/"/> <ns0:NameIDFormat> urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress </ns0:NameIDFormat> <ns0:NameIDFormat> urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified </ns0:NameIDFormat> <ns0:NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:transient </ns0:NameIDFormat> <ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:9000/idp/sso/post/"/> <ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:9000/idp/sso/redirect/"/> <ns0:AttributeConsumingService index="1"> <ns0:ServiceName xml:lang="en"/> <ns0:RequestedAttribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="username" isRequired="true"/> <ns0:RequestedAttribute Name="urn:oid:1.2.840.113549.1.9.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="email" isRequired="true"/> <ns0:RequestedAttribute Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="first_name" isRequired="true"/> <ns0:RequestedAttribute Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="last_name" isRequired="true"/> </ns0:AttributeConsumingService> </ns0:IDPSSODescriptor> </ns0:EntityDescriptor>
appreciate your support
I built the SSO integration project, I will be as IDP identity provider and our third party will be as SP services provider.
I used this code https://github.com/OTA-Insight/djangosaml2idp to prepare my Idp. everything is ok.
But I have a question how I can add claims to this generated metadata so that helps our SP use it?
here is the generated metadata file:
here is my attempt, is it correct?
first attempt: by adding AttributeConsumingService? but I am not sure about SPSSODescriptor tag?
second attempt: or add AttributeConsumingService to IDPSSODescriptor as below?
appreciate your support