Problem Statement:
How to deploy new SAML connections via the Deploy CLI from XML metadata
Solution:
The metadata XML attribute can be used to pass the SAML metadata file for connection creation.
For YAML, the pipe (|) operator can be used to add the metadata on multiple lines as a direct copy without further editing required. E.g. in the connections: section of the tenant.yaml file:
- name: metadataTest
strategy: samlp
enabled_clients: []
options:
metadataXml: |
<md:EntityDescriptor ID="xxx" cacheDuration="xxx" entityID="xxx" xmlns:md="xxx"><ds:Signature xmlns:ds="xxx">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="xxx"/>
<ds:SignatureMethod Algorithm="xxx"/>
<ds:Reference URI="xxx">
<ds:Transforms>
<ds:Transform Algorithm="xxx"/>
<ds:Transform Algorithm="xxx"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="xxx"/>
<ds:DigestValue>xxx</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
xxx
</ds:SignatureValue>
</ds:Signature><md:IDPSSODescriptor protocolSupportEnumeration="xxx" WantAuthnRequestsSigned="xxx"><md:KeyDescriptor use="xxx"><ds:KeyInfo xmlns:ds="xxx"><ds:X509Data><ds:X509Certificate>xxx</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="xxx"><ds:KeyInfo xmlns:ds="xxx"><ds:X509Data><ds:X509Certificate>xxx</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:ArtifactResolutionService index="xxx" Location="xxx" Binding="xxx" isDefault="xxx"/><md:SingleLogoutService Binding="xxx" Location="xxx"/><md:SingleLogoutService Binding="xxx" Location="xxx"/><md:SingleLogoutService Binding="xxx" Location="xxx"/><md:SingleLogoutService Binding="xxx" Location="xxx"/><md:SingleSignOnService Binding="xxx" Location="xxx"/><md:SingleSignOnService Binding="xxx" Location="xxx"/><md:SingleSignOnService Binding="xxx" Location="xxx"/><md:SingleSignOnService Binding="xxx" Location="xxx"/></md:IDPSSODescriptor><md:AttributeAuthorityDescriptor protocolSupportEnumeration="xxx"><md:AttributeService Location="xxx" Binding="xxx"/></md:AttributeAuthorityDescriptor><md:ContactPerson contactType="xxx"/></md:EntityDescriptor>
This will create a new SAML connection called “metadataTest” on import.
If using Directory format, the customer will need to edit the metadata to remove all new line characters and escape double quote (") marks with backslashes to make it compatible with JSON, e.g.:
{
"options": {
"metadataXml": "<md:EntityDescriptor ID=\"xxx\" cacheDuration=\"xxx\" entityID=\"xxx\" xmlns:md=\"xxx\"><ds:Signature xmlns:ds=\"xxx\"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=\"xxx\"/><ds:SignatureMethod Algorithm=\"xxx\"/><ds:Reference URI=\"xxx\"><ds:Transforms><ds:Transform Algorithm=\"xxx\"/><ds:Transform Algorithm=\"xxx\"/></ds:Transforms><ds:DigestMethod Algorithm=\"xxx\"/><ds:DigestValue>xxx</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>xxx</ds:SignatureValue></ds:Signature><md:IDPSSODescriptor protocolSupportEnumeration=\"xxx\" WantAuthnRequestsSigned=\"xxx\"><md:KeyDescriptor use=\"xxx\"><ds:KeyInfo xmlns:ds=\"xxx\"><ds:X509Data><ds:X509Certificate>xxx</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use=\"xxx\"><ds:KeyInfo xmlns:ds=\"xxx\"><ds:X509Data><ds:X509Certificate>xxx</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:ArtifactResolutionService index=\"xxx\" Location=\"xxx\" Binding=\"xxx\" isDefault=\"xxx\"/><md:SingleLogoutService Binding=\"xxx\" Location=\"xxx\"/><md:SingleLogoutService Binding=\"xxx\" Location=\"xxx\"/><md:SingleLogoutService Binding=\"xxx\" Location=\"xxx\"/><md:SingleLogoutService Binding=\"xxx\" Location=\"xxx\"/><md:SingleSignOnService Binding=\"xxx\" Location=\"xxx\"/><md:SingleSignOnService Binding=\"xxx\" Location=\"xxx\"/><md:SingleSignOnService Binding=\"xxx\" Location=\"xxx\"/><md:SingleSignOnService Binding=\"xxx\" Location=\"xxx\"/></md:IDPSSODescriptor><md:AttributeAuthorityDescriptor protocolSupportEnumeration=\"xxx\"><md:AttributeService Location=\"xxx\" Binding=\"xxx\"/></md:AttributeAuthorityDescriptor><md:ContactPerson contactType=\"xxx\"/></md:EntityDescriptor>"
},
"strategy": "samlp",
"name": "metadataTest",
"enabled_clients": []
}
Note that these need to be removed from future imports otherwise errors will occur as a connection will be found with the same name as the metadata import target. We suggest performing an export after the connection(s) have been created as this would allow for an easy update of the import files for future use.