• State Verified Answer
  • Replies replies
    4
  • Subscribers subscribers
    16
  • Views views
    775
  • Users 0 members are here
  • Locked Locked
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Adding WantAssertionsSigned to NAM Generated Metadata

Matt Weisberg
 

I'm trying to federate with an Azure B2C instance. In this case, Azure is the IdP and NAM is the SP, so I'm configuring the Azure IdP as a SAML 2.0 Identity Provider in NAM.

One issue I am seeing is that Azure won't sign the SAML Assertion unless the metadata contains WantAssertionSigned="true" in the SPSSODescriptor.  Per Microsoft doc here:

https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider-options?pivots=b2c-custom-policy#check-the-saml-assertion-signature

When your application expects the SAML assertion section to be signed, make sure the SAML service provider set the WantAssertionsSigned to true. If it's set to false or doesn't exist, the assertion section won't be signed.

I don't see any way to make NAM generate metadata with that setting.  Is there an option or other hack that will allow this?

This is NAM 5.0 SP4.

Thanks.

Matt

Labels:

Access Manager
Parents
  • 0  

    Hi!

    I never federated with Azure B2C as IdP but can you upload metadata as a text file, so you can manually fix whatever needed?

    Please keep in mind that manually modifying metadata will break metadata signature.

    So if Azure complains, try removing metadata signature element (Signature element just below EntityDescriptor). If Azure want metadata signed, you can resign it either with xmlsectool or some online utilities like https://www.samltool.com/sign_metadata.php

    Kind regards,

    Sebastijan

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

Reply
  • 0  

    Hi!

    I never federated with Azure B2C as IdP but can you upload metadata as a text file, so you can manually fix whatever needed?

    Please keep in mind that manually modifying metadata will break metadata signature.

    So if Azure complains, try removing metadata signature element (Signature element just below EntityDescriptor). If Azure want metadata signed, you can resign it either with xmlsectool or some online utilities like https://www.samltool.com/sign_metadata.php

    Kind regards,

    Sebastijan

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

Children
  • 0   in reply to   
    Sebastijan Sef said:
    I never federated with Azure B2C as IdP but can you upload metadata as a text file, so you can manually fix whatever needed?

    That's precisely what we did and we got it working.  But the vendor I'm working with would rather have it directly refreshed from NAM's metadata.  They don't want to leave the manual fix, which I understand.  I do have a support case open as well.

    Matt

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Cookies Preferences
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.