-
Notifications
You must be signed in to change notification settings - Fork 43
Metadata Fetcher Module
An alternative to manually managing the identity provider metadata files is to enable the metadata fetcher html module. This module will read the configuration data to find identity providers with Metadata endpoints defined, and on application start will download new copies from these endpoints and cache them locally in the specified metadata location.
There are three steps to enabling this functionality.
The metadata location specified in the <identityProviders> element must be writeable by the Application Pool identity. This can be done by simply right clicking on the folder in Explorer, and editing the security tab. A permission will need to be added for the Application Pool identity.
As an example, running IIS7, this usually means giving the local machine group "IIS_IUSRS" Modify access to the folder. Setting the permissions for other setups is beyond the scope of this document.
One or more identity providers must be added to the <identityProviders> element, and must have a Metadata endpoint defined. If more than one is defined here, one should be marked as default (this flag is uneccessary when only one identity provider is defined).
<saml2>
...
<identityProviders metadata="C:\Path\To\Metadata\Directory">
<add id="default.idp.com" default="true">
<endpoints>
<endpoint type="Metadata" url="https://metadata.endpoint.url" />
</endpoints>
</add>
<add id="test.idp.com">
<endpoints>
<endpoint type="Metadata" url="https://metadata.endpoint.url" />
</endpoints>
</add>
</identityProviders>
...
</saml2>
Finally, the module itself must be enabled. This is as simple as adding the following two lines to the <configuration><system.webServer><modules> element in the web.config file.
<configuration>
<system.webServer>
...
<remove name="Saml20MetadataFetcher" />
<add name="Saml20MetadataFetcher" type="SAML2.Saml20MetadataFetcherModule, SAML2" preCondition="managedHandler" />
...
</system.webServer>
</configuration>