Skip to content

OIDCSAMLMetadata

Scott Cantor edited this page Feb 16, 2021 · 4 revisions

(Under construction, for upcoming v3.0.0)

The plugin v2.1.0 provides a new facility to register OAuth2/OIDC services in SAML metadata. In comparison to the previously existing (JSON) format, all the same configuration options are available. The full specification is described in detail in the OAuthRPMetadataProfile specification (currently restricted).

For loading the metadata, all the options described in Shibboleth IdP V4 - Metadata Configuration are available.

Public Keys and Client Secrets

As described above, the keyInfoProvidersRef attribute for metadata node processor controls how public keys and client secrets are resolved from SAML metadata. The default one (shibboleth.oidc.DefaultKeyInfoProviders) enables all the methods described in the next two subsections. In all cases, the public key or client secret for an RP is obtained from the KeyDescriptor element of its EntityDescriptor:

<EntityDescriptor ...>
    <SPSSODescriptor xmlns:oidcmd="urn:mace:shibboleth:metadata:oidc:1.0" protocolSupportEnumeration="http://openid.net/specs/openid-connect-core-1_0.html">
        <KeyDescriptor>
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                ...
            </ds:KeyInfo>

Public Key Resolution

The trusted public keys can be resolved in the four following ways:

1. Via JSON Web Key Set (JWKS) in the SAML metadata

The following example adds the JWKS to the trusted JWKS:

<md:KeyDescriptor use="signing">
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:KeyName>mockJwkId</ds:KeyName>
        <oidcmd:JwksData>
            ewogICJrdHkiOiAiUlNBIiwKICAiZSI6ICJBUUFCIiwKICAia2lkIjogIm1vY2siLAogICJhbGci
            OiAiUlMyNTYiLAogICJuIjogInBKcHRScnpyRlhEUnBaWkdpRmc1eW9KeVRPMlphUENSNEcwbjEx
            aUVSclBTdlVYX202Qmdvak5qVEZISk1pa19pbGhtVzY0Q3JLdGlMdklRTFF6VWV5RXdDZHdYZVB3
            UVpNeEV4VDJPV2thQy1DV0ZJNHR4X2VFWGRkUGtja1NMRERhMEVQd3dzWktQUFhoRTNWNTBfZ3pW
            VDJZQVRvRE9fMmoyeGpWcHFzU0dFc0xpYjZqLW52dFpVVV9CMHNHeUppR1ZzMkpUTmhCTVNrT2tR
            Zks2NkNCcW1sbzBuUE5NYVIxbWl2dG5JUG1aNnJKVHcwUDVZZ0dFS1hmZjBsa25Ib25ZVmRsVktw
            c0Q4VW5hY0JzdFlyeUhsM0NQR2Uyc3RmR2ExZ3N6NEdIVGVfRnlWVk04UlNoQ2dYVVo3MTdoenpf
            ekdQaVhDQkw0ZktEek5ZUXpIUSIKfQo=</oidcmd:JwksData>

The contents must be Base64-encoded JSON string, so the example above in decoded form is the following:

{
   "kty": "RSA",
   "e": "AQAB",
   "kid": "mock",
   "alg": "RS256",
   "n": "pJptRrzrFXDRpZZGiFg5yoJyTO2ZaPCR4G0n11iERrPSvUX_m6BgojNjTFHJMik_ilhmW64CrKtiLvIQLQzUeyEwCdwXePwQZMxExT2OWkaCCWFI4tx_eEXddPkckSLDDa0EPwwsZKPPXhE3V50_gzVT2YAToDO_2j2xjVpqsSGEsLib6jnvtZUU_B0sGyJiGVs2JTNhBMSkOkQfK66CBqmlo0nPNMaR1mivtnIPmZ6rJTw0P5YgGEKXff0lknHonYVdlVKpsD8UnacBstYryHl3CPGe2stfGa1gsz4GHTe_FyVVM8RShCgXUZ717hzz_zGPiXCBL4fKDzNYQzHQ"
}

This method is enabled by including the bean with class org.geant.idpextension.keyinfo.ext.impl.provider.InlineJwksProvider in the list of enabled methods.

2. Via URL to a remote JSON Web Key Set (JWKS)

The following example sets the URI for the remote JWKS to https://example.org/jwks:

<md:KeyDescriptor>
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:KeyName>mockJwksUri</ds:KeyName>
        <oidcmd:JwksUri>https://example.org/jwks</oidcmd:JwksUri>
    </ds:KeyInfo>

This method is enabled by including the bean with class org.geant.idpextension.keyinfo.ext.impl.provider.JWKSReferenceProvider in the list of enabled methods.

3. Key value in the SAML metadata

The following example adds the public key to the trusted JWKS, with key identifier mockRSA:

<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:KeyName>mockRSA</ds:KeyName>
    <ds:KeyValue>
        <ds:RSAKeyValue>
            <ds:Modulus>
                AMP1p7GwPH64UPvBKD4DK0I6SDY7dtFPzL7L5qAIEJwIBBeDmLfVY/f9mLzDuDb19XzQxc6GEcjj
                K8qRe7JAD3CE1IXXD0hKSOJ7H+chWS84iv7UNukbHHBO1oaRgfHh7vbX7HnpYMoqKK75rfiQqD9e
                XOa2FLiH1QvnhLGKJcN+OKujetTgAhxE7ski9Gtfhhbt1qCEl7XtaUCLLexyrwWxx+NRxFgMU+nt
                IZQ+T8ii+JQSWnRh14PGc+K9o1dp+vjse62hFprVQhhcbAKAkWpbup77NvvuTZ2+AtUhOuNHrH2I
                X3jHeSWH7EzTGkPLGS6bFnYJQBqWv0POytfSyMM=</ds:Modulus>
            <ds:Exponent>AQAB</ds:Exponent>
        </ds:RSAKeyValue>

This method is enabled by including the bean with class org.opensaml.xmlsec.keyinfo.impl.provider.RSAKeyValueProvider for RSA keys and/or org.opensaml.xmlsec.keyinfo.impl.provider.DSAKeyValueProvider for DSA keys in the list of enabled methods.

4. Via X.509 certificate in the SAML metadata

The following example adds public key from the attached certificate to the trusted JWKS, with key identifier mockX509RSA:

<md:KeyDescriptor use="signing">
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:KeyName>mockX509RSA</ds:KeyName>
    <ds:X509Data>
        <ds:X509Certificate>
            MIIEQDCCAqigAwIBAgIVAIarXvdvyS47KJR7U40FlTufyD8vMA0GCSqGSIb3DQEB
            CwUAMCAxHjAcBgNVBAMMFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0xOTA2MTcx
            MTI5MTJaFw0zOTA2MTcxMTI5MTJaMCAxHjAcBgNVBAMMFWxvY2FsaG9zdC5sb2Nh
            bGRvbWFpbjCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALXysGFnoBFh
            oasd5uMecp9OTBjvztntPUVmHfm4R3AcItEMEZEN/pETcX/wgKdo4qCBq4PrZITa
            T8Salgl0XL6qF1Wia3JNA7Hh/OaoQEUsbsHgsjLMKt6MJh8vIaE1o8loL7Ay4WmZ
            Cr3wc8ZS6CpMsv+qbxkyfl1h7MTydETnQhg/X83bj+BjJSh7QeFU0d0SWK1dN2/D
            nFoGOfuTfVqeDRIwMxKlR5G//8N202sLaG28NljaHhLn3jHXeiGpCQ+Q2X90dkFb
            EKb6sQ6SlDUAzm9MwLYjglDyOhXpUqOnvD67nggLb4Gn/4k+g5wtdfr7unOJYcHK
            w7JGnI8Gd0lJMd6B3SpkhUOWgKv/D6HIBArhqSEmXuTyy8FewyYuo1XkIw/Lu3bB
            9qoBojM1tygoGlKi7R7e719J+DSkhyGbMyQ59leoN97iGGgqjUWS5mew8zSNviyz
            4uGqvxmLWU9UTH1YhlARsBF1bMiMnwLz7dF74AaAkC4pN3BYzDMyHQIDAQABo3Ew
            bzAdBgNVHQ4EFgQUwKUd9D1Qymu2oBEVTscrAhP+sIUwTgYDVR0RBEcwRYIVbG9j
            YWxob3N0LmxvY2FsZG9tYWluhixodHRwczovL2xvY2FsaG9zdC5sb2NhbGRvbWFp
            bi9pZHAvc2hpYmJvbGV0aDANBgkqhkiG9w0BAQsFAAOCAYEAEYqh54a+j5OuR1UB
            /AT9k2xXVwHiqQXAC/2un8O5BWAOeOq9+0gLJO5yaJp5c9GjPXRJmnDfGP9HFF6R
            CjngtRCm1gV/fpj97IRQS5oroaeTWPQ9ZD5+ogs5DNt6UZeJ2GqpfA5mOytNg3cM
            OP1B5QnA1apOaG4FHTegJR7WOIXkkAjEJUy6R+5Q6At7DdK/SRrP5onVPFv2HgGF
            E9v9iX/uQepDizS5F2oi6LZCl1/b38gxA8BFL7VZu53JQguaA7SrnP+dBOErT/yh
            Qcx3e9wE2ms8H1qISIdl3e7gvLi5jEyDWC9Agde6EjjvVVJAF7jR0puQ39mBfoxP
            moVdHJQmCt3V7Ew9tYZUpG3rjp4YNXOiM+QhtwhHWT94q9uJKUQ6JvbxgLNDs5KM
            3PENx2C60TPFne9nRRIMVDavU4wwY7GdCgeo8PiZ5zxI0ZCkxh38ODePtKQrxJ7i
            E0J1BE2LIxa1T7KY0XKpsH0iI2dNfZfNpNp4v/HiDb4svYgq</ds:X509Certificate>

This method is enabled by including the bean with class org.opensaml.xmlsec.keyinfo.impl.provider.InlineX509DataProvider in the list of enabled methods.

Client Secret Resolution

The client secret values can be read from the SAML metadata in the following ways:

1. Directly from the SAML metadata

The following example sets client secret value to verySecretClientSecretKeyValue1234567890.

<KeyDescriptor>
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <oidcmd:ClientSecret>verySecretClientSecretKeyValue1234567890</oidcmd:ClientSecret>
    </ds:KeyInfo>
</KeyDescriptor>

This method is enabled by including the bean with class org.geant.idpextension.keyinfo.ext.impl.provider.ClientSecretProvider in the list of enabled methods.

2. Via reference key in the SAML metadata

The following example sets client secret reference to secretReference1.

<KeyDescriptor>
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <oidcmd:ClientSecretKeyReference>secretReference1</oidcmd:ClientSecretKeyReference>
    </ds:KeyInfo>
</KeyDescriptor>

This method is enabled by including the bean with class org.geant.idpextension.keyinfo.ext.impl.provider.ClientSecretReferenceProvider in the list of enabled methods. The bean must be fed with a list of desired resolution methods. Two are currently available:

1. Resolution via property file

The .properties file containing the client secrets can be configured via idp.oidc.metadata.clientSecretProperties in the IdP configuration properties. For instance with the following file:

secretReference1 = verySecretClientSecretKeyValue1234567890
secretReference2 = verySecretClientSecretKeyValue0987654321

The client secret value would be resolved to verySecretClientSecretKeyValue1234567890.

2. Resolution via resolver service

TODO