ADFS and pretty much all half-decent IDP's use metadata to transfer stuff like endpoints, bindings, certificates etc.
Sometimes you need to change some part of the metadata e.g. ADFS won't accept any endpoints that aren't https.
So to be able to import the metadata, you have to edit it.
However, if the metadata is signed, it will throw an error.
This is because the signature is a hash value of the contents so obviously if you change the contents you change the hash value.
What to do?
Note: Below is at your own risk as there may be security implications.
Metadata stands on its own. There are no other files involved, links to web collateral etc. So it stands to reason that if the metadata is signed, the fact that it is signed must be recorded somewhere within the metadata.
And in fact it is.
It use the "ds:Signature", "ds:SignedInfo", "ds:SignatureValue" etc. constructs.
So to remove the signature protection, simply delete the entire "ds:Signature" construct, Now you can change anything you want. And by extension so can anybody else!
To repeat: Use at your own risk as there may be security implications.
Enjoy!
1 comment:
Once you removed the Signature, and made the changes, you can sign again the metadata, use that tool for this:
https://www.samltool.com/sign_metadata.php
Or you can create your own SP metadata with that tool:
https://www.samltool.com/sp_metadata.php
Post a Comment