Skip to Content
1

SAML 2.0 config - How to change endpoints in metadata XML file

Apr 09 at 01:10 PM

64

avatar image

Hello,

After configuring SAML 2.0 authentication on our ERP system, I realized that I needed to create a new virtual host, under which my SAML-protected services and aliases would sit. I created a new domain name for this virtual host, saml2.host.domain.edu.

My problem now is that my ADFS admin requested that I re-create the service provider metadata XML file to reflect the new endpoints. I have not determined how to do this. In the browser-based SAML2 configuration screens, I do not find a way to indicate which endpoints to use.

Any help is much appreciated.

Best regards,
Jill

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Best Answer
Jill Diesman Apr 25 at 02:57 PM
0

Rather than switch over to using a proxy or Web Dispatcher, I did the following:

  1. Under my new Virtual Host, saml2_host, I copied all of the services related to SAML2 Configuration, making sure to check the Handler List for each service.


  2. Under my new Virtual Host, saml2_host, I created a new External Alias: "/sap/saml2". This External Alias is based off the one by the same name under default_host. I selected its "Trg Element" as saml2_host > sap > public > bc > sec > saml2.


  3. In my browser, I called up the SAML2 configuration using the URL with my new domain name: https://saml2.host.domain.edu/sap/bc/webdynpro/sap/saml2?sap-client=&sap-language=EN

  4. From here I was able to download the service provider metadata XML file, which I then passed along to my colleague managing the Identity Provider side of things.

I hope this solution might be of use to others.

Cheers,
Jill


Share
10 |10000 characters needed characters left characters exceeded
Geferson Hess
Apr 09 at 07:31 PM
1

Hi Jill,

To generate the metadata file with the correct endpoints, it's necessary to access the SAML2 configuration page using the desired host:port.

KBA 2326063 explains it when a proxy is used.

Regards,

Show 3 Share
10 |10000 characters needed characters left characters exceeded

Hello Geferson,

Thank you for replying to my question. I will try this solution using our Web Dispatcher system.

And I am curious... Given that I have created a Virtual Host and am using a new domain name for it, would you say that using a proxy/web dispatcher is the required way to handle it?

Best regards,
Jill

0

Hi Jill,

No. The idea of the KBA is just to illustrate how you can get the correct entry points for the Metadata file.
The idea is to access the SAML service with the correct URL (in your case the Virtual Host one) and then generate the Metadata file.

Cheers.


1

Thank you for the clarification, Geferson.

Regards,
Jill

0