Environment
NetIQ Access Manager Identity Server acting as WS-Federation Identity Server
NetIQ Access Manager 3.2
NetIQ Access Manager 4.x
.NET WS-Federation Service Provider application
NetIQ Access Manager 3.2
NetIQ Access Manager 4.x
.NET WS-Federation Service Provider application
Situation
.NET WS-Federation Service Provider wants to federate with NAM STS/WS-Federation Identity Provider. On the .NET side, a utility exists to import the STS metadata. When pointing to the NAM /nidp/wsfed/metadata URL via this tool, an error is generated as the metadata is processed with the following error:
ID1013: Could not access the server hosting the WS-Federation metadata document
ID1089: Error reading the WS-Federation metadata document. Address https://login.netiq.com/nidp/wsfed/metadata generated error ID3260: The root element of the metadata document must be either an EntityDescriptor or an EntitiesDescriptor.
ID1013: Could not access the server hosting the WS-Federation metadata document
ID1089: Error reading the WS-Federation metadata document. Address https://login.netiq.com/nidp/wsfed/metadata generated error ID3260: The root element of the metadata document must be either an EntityDescriptor or an EntitiesDescriptor.
Resolution
Must manually change the namespaces and add the roleDescriptor element for WS-FED. Here's a sample
metadata that will work (the x509 certs have been truncated):
<?xml version="1.0" encoding="UTF-8" ?><EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="ido-eFtv8TSIfMvh7eSKJWcJumacs" entityID="https://www.netiq.com/nidp/saml2/metadata">
<RoleDescriptor xsi:type="fed:SecurityTokenServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/wsfed/federation/200706" ServiceDisplayName="www.netiq.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706"><KeyDescriptor use="signing"><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><X509Data><X509Certificate>MIIFNTCCBB2gAwIBAgIHBCD2EATDVTANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCVVMxEDAO
:
MxTuRNjArYt8hQDH24hF54TvFTEG5MjEQTI=</X509Certificate></X509Data></KeyInfo></KeyDescriptor><fed:TokenTypesOffered><fed:TokenType Uri="urn:oasis:names:tc:SAML:2.0:assertion"/><fed:TokenType Uri="urn:oasis:names:tc:SAML:1.0:assertion"/></fed:TokenTypesOffered><fed:ClaimTypesOffered><auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706"><auth:DisplayName>E-Mail Address</auth:DisplayName><auth:Description>The e-mail address of the user</auth:Description></auth:ClaimType><auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706"><auth:DisplayName>Given Name</auth:DisplayName><auth:Description>The given name of the user</auth:Description></auth:ClaimType><auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706"><auth:DisplayName>Name</auth:DisplayName><auth:Description>The unique name of the user</auth:Description></auth:ClaimType><auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706"><auth:DisplayName>UPN</auth:DisplayName><auth:Description>The user principal name (UPN) of the user</auth:Description></auth:ClaimType><auth:ClaimType Uri="http://schemas.xmlsoap.org/claims/CommonName" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706"><auth:DisplayName>Common Name</auth:DisplayName><auth:Description>The common name of the user</auth:Description></auth:ClaimType><auth:ClaimType Uri="http://schemas.xmlsoap.org/claims/EmailAddress" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706"><auth:DisplayName>AD FS 1.x E-Mail Address</auth:DisplayName><auth:Description>The e-mail address of the user when interoperating with AD FS 1.1 or ADFS 1.0</auth:Description></auth:ClaimType><auth:ClaimType Uri="http://schemas.xmlsoap.org/claims/Group" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706"><auth:DisplayName>Group</auth:DisplayName><auth:Description>A group that the user is a member of</auth:Description></auth:ClaimType><auth:ClaimType Uri="http://schemas.xmlsoap.org/claims/UPN" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706"><auth:DisplayName>AD FS 1.x UPN</auth:DisplayName><auth:Description>The UPN of the user when interoperating with AD FS 1.1 or ADFS 1.0</auth:Description></auth:ClaimType><auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706"><auth:DisplayName>Role</auth:DisplayName><auth:Description>A role that the user has</auth:Description></auth:ClaimType><auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706"><auth:DisplayName>Surname</auth:DisplayName><auth:Description>The surname of the user</auth:Description></auth:ClaimType><auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706"><auth:DisplayName>PPID</auth:DisplayName><auth:Description>The private identifier of the user</auth:Description></auth:ClaimType><auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706"><auth:DisplayName>Name ID</auth:DisplayName><auth:Description>The SAML name identifier of the user</auth:Description></auth:ClaimType><auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706"><auth:DisplayName>Authentication time stamp</auth:DisplayName><auth:Description>Used to display the time and date that the user was authenticated</auth:Description></auth:ClaimType><auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706"><auth:DisplayName>Authentication method</auth:DisplayName><auth:Description>The method used to authenticate the user</auth:Description></auth:ClaimType><auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706"><auth:DisplayName>Deny only group SID</auth:DisplayName><auth:Description>The deny-only group SID of the user</auth:Description></auth:ClaimType><auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706"><auth:DisplayName>Deny only primary SID</auth:DisplayName><auth:Description>The deny-only primary SID of the user</auth:Description></auth:ClaimType><auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706"><auth:DisplayName>Deny only primary group SID</auth:DisplayName><auth:Description>The deny-only primary group SID of the user</auth:Description></auth:ClaimType><auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706"><auth:DisplayName>Group SID</auth:DisplayName><auth:Description>The group SID of the user</auth:Description></auth:ClaimType><auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706"><auth:DisplayName>Primary group SID</auth:DisplayName><auth:Description>The primary group SID of the user</auth:Description></auth:ClaimType><auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706"><auth:DisplayName>Primary SID</auth:DisplayName><auth:Description>The primary SID of the user</auth:Description></auth:ClaimType><auth:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706"><auth:DisplayName>Windows account name</auth:DisplayName><auth:Description>The domain account name of the user in the form of <domain>\<user></auth:Description></auth:ClaimType></fed:ClaimTypesOffered><fed:SecurityTokenServiceEndpoint><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>https://www.netiq.com/nidp/wsfed/ep</wsa:Address></wsa:EndpointReference></fed:SecurityTokenServiceEndpoint><fed:PassiveRequestorEndpoint><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>https://www.netiq.com/nidp/wsfed/ep</wsa:Address></wsa:EndpointReference></fed:PassiveRequestorEndpoint></RoleDescriptor>
<AttributeAuthorityDescriptor ID="idDV1ilOGJ6HYzKsT0Icuc4No9Iag" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>
MIIFNTCCBB2gAwIBAgIHBCD2EATDVTANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCVVMxEDAO
:
MxTuRNjArYt8hQDH24hF54TvFTEG5MjEQTI=
</ds:X509Certificate></ds:X509Data></ds:KeyInfo><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/></KeyDescriptor><KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>
MIIFNTCCBB2gAwIBAgIHBCD2EATDVTANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCVVMxEDAO
:
MxTuRNjArYt8hQDH24hF54TvFTEG5MjEQTI=
</ds:X509Certificate></ds:X509Data></ds:KeyInfo><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/></KeyDescriptor><AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://www.netiq.com/nidp/saml2/soap"/><AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://www.netiq.com/nidp/saml2/soap"/><AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="https://www.netiq.com/nidp/saml2/assertion"/></AttributeAuthorityDescriptor><IDPSSODescriptor ID="idoW5s4TmIbSh8IyimfPCFApQ9Lls" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>
MIIFNTCCBB2gAwIBAgIHBCD2EATDVTANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCVVMxEDAO
:
MxTuRNjArYt8hQDH24hF54TvFTEG5MjEQTI=
</ds:X509Certificate></ds:X509Data></ds:KeyInfo><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/></KeyDescriptor><KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>
MIIFNTCCBB2gAwIBAgIHBCD2EATDVTANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCVVMxEDAO
:
MxTuRNjArYt8hQDH24hF54TvFTEG5MjEQTI=
</ds:X509Certificate></ds:X509Data></ds:KeyInfo><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/></KeyDescriptor><ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://www.netiq.com/nidp/saml2/soap" index="0" isDefault="true"/><SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.netiq.com/nidp/saml2/slo" ResponseLocation="https://www.netiq.com/nidp/saml2/slo_return"/><SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://www.netiq.com/nidp/saml2/soap"/><SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://www.netiq.com/nidp/saml2/slo" ResponseLocation="https://www.netiq.com/nidp/saml2/slo_return"/><ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://www.netiq.com/nidp/saml2/soap"/><ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.netiq.com/nidp/saml2/rni" ResponseLocation="https://www.netiq.com/nidp/saml2/rni_return"/><ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://www.netiq.com/nidp/saml2/rni" ResponseLocation="https://www.netiq.com/nidp/saml2/rni_return"/><NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat><NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat><SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.netiq.com/nidp/saml2/sso"/><SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://www.netiq.com/nidp/saml2/sso"/><NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://www.netiq.com/nidp/saml2/soap"/></IDPSSODescriptor>
<Organization><OrganizationName xml:lang="en">pbnam4a.netiq.com</OrganizationName><OrganizationDisplayName xml:lang="en">pbnam4a.netiq.com</OrganizationDisplayName><OrganizationURL xml:lang="en">https://pbnam4a.netiq.com/nidp</OrganizationURL></Organization><ContactPerson contactType="other"/></EntityDescriptor>
Additional Information
The cool solution at https://www.netiq.com/communities/cool-solutions/integrating-net-application-access-manager-using-ws-federation/ also outlines detailed steps required to integrate a .NET app with Access Manager.