Посібник користувача Скасувати

SAML in ColdFusion

Пошук

Останнє оновлення:

ColdFusion User Guide
Introduction to ColdFusion
Cloud Services in ColdFusion
Install ColdFusion
Use ColdFusion
Performance Monitoring Toolset
Adobe ColdFusion Builder extension for Visual Studio Code
Use ColdFusion Builder
Coldfusion API Manager
Configure and administer ColdFusion
CFML Reference
1. Introduction to CFML Reference
2. Reserved words and variables
3. ColdFusion tags
  1. ColdFusion tags
  2. Tags in ColdFusion 10
  3. Tag summary
  4. Tags by function
  5. Tag changes since ColdFusion 5
  6. Tags a-b
  7. Tags c
  8. Tags d-e
  9. Tags f
  10. Tags g-h
  11. Tags i
  12. Tags j-l
  13. Tags m-o
  14. Tags p-q
  15. Tags r-s
  16. Tags t
  17. Tags u-z
4. ColdFusion functions
5. Ajax JavaScript functions
6. ColdFusion ActionScript functions
7. ColdFusion mobile functions
8. Application.cfc reference
9. Script functions implemented as CFCs
10. ColdFusion Flash Form style reference
11. ColdFusion event gateway reference
12. ColdFusion C++ CFX Reference
13. ColdFusion Java CFX reference
14. WDDX JavaScript Objects
Develop ColdFusion applications
1. Introducing ColdFusion
2. Changes in ColdFusion
3. Introduction to application development
4. The CFML programming language
5. Building blocks of ColdFusion applications
6. Develop CFML applications
7. Develop mobile applications
8. Access and use data
9. ColdFusion ORM
10. ColdFusion and HTML5
11. Flex and AIR integration in ColdFusion
12. Request and present information
13. Office file interoperability
14. ColdFusion portlets
15. Work with documents, charts, and reports
16. Use web elements and external objects
17. Use external resources

Overview

SAML is a standard that facilitates the exchange of security information. Developed by OASIS (Organization for the Advancement of Structured Information Standards), SAML is an XML-based framework. SAML enables different organizations (with different security domains) to securely exchange authentication and authorization information.

What drives SAML

Single Sign-On: Web applications rely on browser cookies to maintain the state of user authentication, so that a user needs to authenticate again when accessing the system. However, since browser cookies are never transmitted between DNS domains, the information in the cookies from one domain is never available to another domain. Therefore, web applications support Single Sign-On (SSO) to pass authentication across domains.

Federated identity: Federated identity management (FIM) is an agreement that is made between multiple enterprises to let subscribers use the same identification data to obtain access to all enterprise data. Identity federation links a user's identity across multiple security domains, each supporting its own identity management system. When two domains are federated, the user can authenticate to one domain and then access resources in the other domain without being involved in a separate login procedure.

Install SAML package

Before you use the SAML features, make sure the module is installed by running ColdFusion Package Manager.

Navigate to “<instance_home>/bin” and run “cfpm.bat/cfpm.sh”.

Type “install saml” to install the SAML package.

SAML Metadata Exchange

SAML workflows require a preqreuisite metadata exchange step between the Service Provider and the Identity Provider. This helps the two parties trust each other by agreeing on a common contract. The exchange makes the entities aware of each other's endpoints, certificates and binding support. Without this step, SSO and SLO workflows would simply not work.

Configure Service Provider

A SAML service provider is a system entity that receives and accepts authentication assertions in conjunction with a single sign-on (SSO) profile of the Security Assertion Markup Language (SAML). In the SAML domain model, a SAML relying party is any system entity that receives and accepts information from another system entity.

In ColdFusion, all SAML 2.0 metadata are supported.

There are three entities involved in any SSO scenario

Principal – The principal is a usually a user requesting some sort of service from an application
Service Provider – This could be any application(web/ColdFusion) that provides one/multiple services to users, but they first need to be authenticated to avail these services
Identity Provider – The Identity Provider acts as an instrument of trust. The user is authenticated to the Identity Provider. The Service Provider contacts the Identity Provider to know the authentication and authorization state of the user.

To add a Service Provider (SP), in ColdFusion Administrator, navigate to Security > SP Configuration.

Field	Description
Name	Name of the Service Provider configuration to be configured.
Description	Description of the SP.
Entity Id	A unique identifier for the SP. Each instance of SP must have a different Entity Id.
ACS (Assertion Consumer Service) URL	The location where the SAML assertion is sent. This is often referred to as SAML ACS URL for your application.
ACS Binding	The SAML response is prepared according to the configuration provided by Identity Provider, encoded to base 64 string and loaded into the request based on this configuration. The HTTP-Redirect binding inserts the base 64 encoded string into the URL, while the HTTP-POST binding inserts the base 64 encoded string as a hidden FORM element. Takes the value “REDIRECT”/”POST".
SLO URL	The location where the logout response needs to be sent.
SLO Binding	Defines how the various protocol messages are to be exchanged between the SP and the IDP. Takes the value “REDIRECT”/”POST”
Sign Requests	Enable to sign requests from the SP with the private key.
Want Assertions Signed	Indicates whether the SP wants the Assertion response from the IDP to be signed.
Logout Response Signed	Enable to sign the logout response to be sent from the SP
Signing KeyStore Path	Path of the KeyStore that you had created with private/public keypair
Signing KeyStore Password	Password of the KeyStore.
Signing KeyStore Alias	Alias of entry in the KeyStore.
Request Store	Request store helps match outgoing requests and incoming responses with the Identity Provider to help protect against Replay Attacks. SAML requests can be tracked using one of the following storage methods. Default option stores requests in a cache called samlcache configurable in <instance_home>/lib/auth-ehcache.xml Redis - Redis can be set as the store if redis is already configured with ColdFusion and session management is enabled at the application level. Cache - Uses the cache specified in the caching properties of the application. Defaults to server wide caching engine if application level caching option is not found. ColdFusion has been using EHCache for replay attack, but it makes it difficult in cluster, when you have to go edit the XML for all the instances. The second option is cache. After installing caching module, you can specify server level cache in ColdFusion administrator. As well as in Application.cfc we can specify caching settings. If cache option is selected, we will use those cache settings to store And the last option is Redis. If you have configured Redis session storage in ColdFusion Admin it will use that setting. Redis is used because all instances will point to one Redis so cluster scenario is easy The Request Store option can be provided in Admin page or using Application.cfc by specifying the property “REQUESTSTORE” while adding SP. It takes values of "Cache" and "Redis" For example, this.security.samlsettings.sp = [{ name: 'sp1', entityId: 'admin1', acsURL: 'http://localhost:89/App1/response.cfm', sloURL: 'http://localhost:89/App1/logout.cfm', ACSBINDING: 'post', SLOBINDING: 'post', SIGNREQUESTS: true, WANTASSERTIONSSIGNED: true, LOGOUTRESPONSESIGNED: true, SIGNKEYSTOREPATH: 'C:/okta.p12', SIGNKEYSTOREPASSWORD: 'abcdef', SIGNKEYSTOREALIAS: 'selfsigned', REQUESTSTORE: 'Redis' }];

Configure Identity Provider

The SAML Service Provider needs to know the details of the Identity Provider. This can be taken as input from the user, or it can be imported from raw xml file. The IDP metadata describes the format the Identity Provider expects messages from the Service Provider. Some IDPs are configurable and flexible to support multiple bindings/configurations. But some might have only limited implementations in which case this metadata would tell the Service Provider exactly what format to adhere to.

To add an Identity Provider, in ColdFusion Administrator, navigate to Security > IDP Configuration.

Field	Description
Name	Specify the name of the Identity Provider to be created.
Description	Description of the Identity Provider.
Entity Id	A uniquely identifiable identifier for the IDP. Each instance of IDP must have a different entity ID.
SSO URL	The URL which points to the SSO service of the IDP.
SLO URL	The URL which points to the SSO logout service of the IDP
SSO Binding	Takes the value “REDIRECT”/”POST” as explained below.
SLO Binding	Takes the value “REDIRECT”/”POST” as explained below.
POST binding	The SAML request is prepared, encoded to base 64 string and loaded into a HTML form as one of the form input fields. You can provide any template path which has a form using the “template” parameter in functions InitSAMLAuthRequest / InitSAMLLogoutRequest. Refer cfinstance/wwwroot/WEB-INF/saml/login.cfm for an example
REDIRECT binding	The SAML request is prepared, encoded into a base 64 string and is loaded into the URL as a query parameter.
Sign Requests	Enable this option if you want the request to be signed.
Encrypt Requests	Enable this option if you want the request to be encrypted.
Sign Certificate and Encrypt Certificate	Create your own certificate using, for example, keytool, and upload it to CF Administrator.

Import Identity Provider configuration

You can import the SAML metadata in one of the four ways:

Import from SAML URL
Import from an existing SAML definition
Import from XML file in local system
Create your own SAML definition

SSO requests

Now that you've configured both the IdP and SP, you can initiate the SSO workflows. Call InitSAMLAuthRequest function.

<cfset config = {

idp = {name = “testidp”},

sp = {name = “testsp”},

relayState = “cart”

<cfset InitSAMLAuthRequest(config)>

Once you authenticate, the IdP then responds with a set of assertions which include your identity as well as roles/grants that may have been configured for the given user. These can be extracted using the ProcessSAMLResponse function below:

<cfset response = ProcessSAMLResponse(“testidp”,”testsp”)>

<cfdump var = “#response#”>

SLO requests

Single Logout requests are similar to SSO requests. Call the InitSAMLLogoutRequest function with the details received during login like sessionindex, nameId and nameIdFormat.

These are dependent upon the IdP which sometimes also require the nameIdQualifier and spNameIdQualifier fields.

<cfset config = {

idp = {name = “testidp”},

sp = {name = “testsp”},

sessionindex = “#response.SESSIONINDEX#”,

nameId = “#response.NAMEID#”,

nameIdFormat = “#response.NAMEIDFORMAT#”

<cfset InitSAMLLogoutRequest(config)>

You will be redirected to the IdP which will try to process your Logout Request. The response returned from the IdP will contain a Boolean value which tells us whether the logout at the IdP was successful or not. This can be extracted using the same ProcessSAMLResponse function.

<cfset response = ProcessSAMLResponse(“testidp”,”testsp”)>

<cfdump var = “#response#”>

Application.cfc

You can also configure the SP and IdP settings via Application.cfc. For example,

component { 
    this.name = 'sampleApp'; 
    this.security.samlsettings.idp = [ 
    { 
        name: 'idpt', 
        entityID: 'http://www.linktoentityid.com', 
        ssoURL: 'https://entityid.com/sso/saml', 
        sloURL: 'https://entityid.com/slo/saml', 
        ssoBinding: 'POST', 
        sloBinding: 'REDIRECT', 
        signMessage: true, 
        signrequests: true, 
        encryptrequests: false, 
        signcertificate: 'ABCDEF...'          
    } 
    ] 
    this.security.samlsettings.sp = [ 
    { 
  name: 'spt', 
        entityId: 'admin', 
        acsURL: 'http://localhost:8500/response.cfm', 
  sloURL: 'http://localhost:8500/logout.cfm', 
  acsbinding: 'POST', 
  slobinding: 'REDIRECT', 
  signrequests: true, 
  wantassertionssigned: true, 
  logoutresponsesigned: true, 
  signkeystorepath: 'C:\ColdFusion\cfusion\lib\okta.p12', 
  signkeystorepassword: 'abcdef', 
  signkeystorealias: 'selfsigned', 
        requeststore: 'redis' 
 } 
    ] 
}

SAML ColdFusion APIs

InitSAMLAuthRequest

Initiates the login process with IDP.

Syntax

InitSAMLAuthRequest(options)

Parameters

idp	Name of the Identity Provider.
sp	Name of the Service Provider.
relayState	A string token that is attached with the request. On succesful authentication with the IdP, this token is sent back in the SAMLResponse so that the user can be redirected to any page once authentication is done.
template	The location of a template that can be used as an intermediate loading page before redirection to the IDP takes place. Valid only for POST bindings.
lifetime	The time that the SAML request must be entertained while waiting for the response from the IDP.

Example

<cfset struct1 = StructNew()> 
<cfset struct1.relaystate = "page"> 
<cfset struct1.idp = StructNew()> 
<cfset struct1.idp.name = "idp1"> 
<!--- Specify the name of the idp added through ColdFusion admin page or Application.cfc ---> 
<cfset struct1.sp = StructNew()> 
<!--- Give the name of the sp added through ColdFusion admin page or Application.cfc ---> 
<cfset struct1.sp.name = "sp1"> 
<cfdump var="#struct1#"> 
<cfscript> 
 InitSAMLAuthRequest(struct1); 
</cfscript>

GetSAMLAuthRequest

Returns a representation of what the XML Authorization request looks like.

Syntax

GetSAMLAuthRequest(options)

Parameters

idp	Name of the Identity Provider.
sp	Name of the Service provider.

Example

<cfset struct1 = StructNew()> 
<cfset struct1.idp = StructNew()> 
<cfset struct1.idp.name = "idp1"> 
<cfset struct1.sp = StructNew()> 
<cfset struct1.sp.name = "sp1"> 
<cfset authreq=XmlParse("#GetSAMLAuthRequest(struct1)#")> 
<cfdump var="#authreq#">

ProcessSAMLResponse

Verify the integrity of the SAML response from the server.

Syntax

ProcessSAMLResponse(idp, sp)

Parameters

idp	Name of the Identity Provider.
sp	Name of the Service provider.

Example

The response struct returned by ProcessSAMLResponse contains the following important fields:

SSO response

AUTHENTICATED - A boolean value that tells us if the user was successfully authenticated at the IdP
NAMEID - The username (or) email used for authentication
NAMEIDFORMAT - Describes the format of the NAMEID field for further processing
ATTRIBUTES - A list of attributes configured with the user at the IdP. May include First Name, Last Name, Permissible roles, etc
RELAYSTATE - A string token that is attached with the request. On succesful authentication with the IdP, this token is sent back in the SAMLResponse so that the user can be redirected to any page once authentication is done.

Example

<cfset RespStruct = "#ProcessSAMLResponse("idp1", "sp1")#"> 
<cfdump var="#RespStruct#"> 
<cfif RespStruct.AUTHENTICATED> 
<cflogin> 
<cfloginuser name="#RespStruct.NAMEID#" password="" roles="#ArrayToList(RespStruct.ATTRIBUTES)#"> 
</cflogin> 
</cfif>

SLO response

SUCCESSFULLOGOUT - A boolean value that indicates whether the user's global session at the IdP was successfully destroyed

InitSAMLLogoutRequest

Initiates the logout process with IDP.

Syntax

InitSAMLLogoutRequest(options)

Parameters

idp	Name of the Identity Provider.
sp	Name of the Service Provider.
relayState	A string token that is attached with the request. On succesful authentication with the IdP, this token is sent back in the SAMLResponse so that the user can be redirected to any page once authentication is done.
template	The location of a template that can be used as an intermediate loading page before redirection to the IDP takes place. Valid only for POST bindings.
lifetime	The time that the SAML request must be entertained while waiting for the response from the IDP.

Example

<cfset struct1 = StructNew()> 
<cfset struct1.idp = StructNew()> 
<cfset struct1.idp.name = "idp1"> 
<cfset struct1.sp = StructNew()> 
<cfset struct1.sp.name = "sp1"> 
<cfset struct1.lifetime = 600> 
<cfset struct1.relaystate = "page"> 
<cfscript>      
 InitSAMLLogoutRequest(struct1); 
</cfscript>

GetSAMLLogoutRequest

Returns a representation of what the XML Authorization request looks like.

Syntax

GetSAMLLogoutRequest(options)

Parameters

idp	Name of the Identity Provider.
sp	Name of the Service provider.

Example

<cfset struct1 = StructNew()> 
<cfset struct1.idp = StructNew()> 
<cfset struct1.idp.name = "idp1"> 
<cfset struct1.sp = StructNew()> 
<cfset struct1.sp.name = "sp1"> 
<cfset authreq=XmlParse("#GetSAMLLogoutRequest(struct1)#")> 
<cfdump var="#authreq#">

isSamlLogoutResponse

Returns TRUE if it is a SAML logout response.

Syntax

issamlLogoutResponse()

Example

<cfif isSAMLLogoutResponse()> 
<!--- dumping logout response---> 
<cfset struct2 = "#ProcessSAMLResponse()#"> 
<cfdump var="#struct2#">

isSamlLogoutRequest

Returns TRUE if it is a SAML logout response.

Syntax

isSamlLogoutRequest()

Example

<cfif isSamlLogoutRequest()> 
<!--- dumping logout request---> 
<cfset struct3 = "#ProcessSAMLLogoutRequest("logout2", "sp2")#"> 
<cfdump var="Logging out in App2" output="console"> 
<cfdump var="#struct3#" output="console"> 
<cfset SendSAMLLogoutResponse(#struct3.SESSIONINDEX#)>

SendSAMLLogoutResponse

This function sends the response back to the IDP.

Syntax

SendSAMLLogoutResponse(sessionIndex, idp, sp)

Parameters

sessionIndex	Uniquely identify the session being closed.
idp	Name of the Identity Provider.
sp	Name of the Service provider.

Example

<cfif isSamlLogoutRequest()> 
              <!--- dumping logout request---> 
              <cfset LogReq = "#ProcessSAMLLogoutRequest("idp1", "sp1")#"> 
<cfdump var="#LogReq#"> 
              <cfset SendSAMLLogoutResponse(#LogReq.SESSIONINDEX#,"idp1", "sp1")> 
</cfif>

ProcessSAMLLogoutRequest

Once the request is received, this function returns a struct with the values- (NAMEID, NAMEIDFORMAT, NAMEIDQUALIFIER, NAMEIDSPQUALIFIER, SESSIONINDEX).

Syntax

ProcessSAMLLogoutRequest(idp,sp)

Parameters

idp	Name of the Identity Provider.
sp	Name of the Service provider.

Example

<cfif isSamlLogoutRequest()> 
    <!--- dumping logout request---> 
     <cfset LogReq = "#ProcessSAMLLogoutRequest("idp1", "sp1")#"> 
    <cfdump var="#LogReq#"> 
    <cfset SendSAMLLogoutResponse(#LogReq.SESSIONINDEX#,"idp1", "sp1")> 
</cfif>

GenerateSAMLSPMetadata

This function creates the metadata for SAML Service Provider.

Syntax

GenerateSAMLSPMetadata()

Example

<cfset struct1 = StructNew()> 
<cfset struct1.entityid = "generated_sp_id"> 
<cfset struct1.acsurl = "http://localhost:8500/acsurl.cfm"> 
<cfset struct1.slourl = "http://localhost:8500/slourl.cfm"> 
<cfscript> 
    sp = GenerateSAMLSPMetadata(struct1); 
</cfscript> 
<cfdump var="#sp#">

SAML Admin APIs

AddIdpMetadata

Adds an Identity Provide configuration.

Parameters

alias: string, required, alias - Alias for the Identity Provider
url: string, optional, url - URL to import the metadata from
file: string, optional, file - File to import the metadata from
rawxml: string, optional, rawxml - Raw xml to import the metadata from
description: string, optional, description
entityid: string, optional, entityid - Unique Entity ID of the Identity Provider
ssourl: string, optional, ssourl - Single Sign On URL of the Identity Provider
ssobinding: string, optional, ssobinding - Binding to be used for Single Sign On service (“REDIRECT” or “POST”)
slourl: string, optional, slourl - Single Logout Service URL of the Identity Provider
slobinding: string, optional, slobinding - Binding to be used for Single Logout service (“REDIRECT” or “POST”)
logoutresponseurl: string, optional, logoutresponseurl - URL to redirect to after a logout request is received from the Identity Provider
signrequests: boolean, optional, signrequests - Flag that indicates whether responses are signed by the Identity Provider (Default false)
encryptrequests: boolean, optional, encryptrequests - Flag that indicates whether responses are encrypted by the Identity Provider (default false)
signcertificate: string, optional, signcertificate - X509 certificate used for signing
encryptcertificate: string, optional, encryptcertificate - X509 certificate used for encryption

Example

<cfscript>  
    adminObj = createObject("component","cfide.adminapi.administrator");  
    adminObj.login("admin"); 
  
    // Instantiate the security object.  
  
    myObj = createObject("component","CFIDE.adminapi.security")  
 
    // Add metadata from URL  
    idpAlias="url"  
    idpMetadataUrl=”https://metadata-url/” 
 
    try{  
        myObj.addIdpMetadata(alias= idpAlias,url= idpMetadataUrl)  
        writeOutput("IDP Metadata added successfully")  
    }  
    catch (any e){  
        writeDump(e)  
    }  
 
 // Add metadata from file 
 
 idpAlias = “file” 
 idpMetadataFile = “/opt/metadata.xml” 
 
    try{  
        myObj.addIdpMetadata(alias= idpAlias,file= idpMetadataFile)  
        writeOutput("IDP Metadata added successfully")  
    }  
    catch (any e){  
        writeDump(e)  
    }  
 
    // Add raw metadata xml 
 
 idpAlias = “raw” 
 idpMetadataRaw = “<md:EntityDescriptor ......” 
 
    try{  
        myObj.addIdpMetadata(alias= idpAlias,rawxml= idpMetadataRaw)  
        writeOutput("IDP Metadata added successfully")  
    }  
    catch (any e){  
        writeDump(e)  
    }  
// Add metadata manually 
 
idpAlias = “manual” 
 idpSsoUrl = “http://idp.com/sso” 
 idpEntityId = “entity1” 
 
    try{  
        myObj.addIdpMetadata(alias= idpAlias,ssourl= idpSsoUrl, entityid = idpEntityId)  
        writeOutput("IDP Metadata added successfully")  
    }  
    catch (any e){  
        writeDump(e)  
    }  
</cfscript>

AddSpMetadata

Adds a Service Provider configuration.

Parameters

alias: string, required, alias - Alias for the Service Provider
description: string, optional, description
entityid: string, required, entityid - Unique Entity ID of the Service Provider
acsurl: string, required, acsurl - Assertion Consumer Service URL of the Service Provider
acsbinding: string, optional, acsbinding - Binding to be used for Single Sign On service (“REDIRECT” or “POST”)
slourl: string, optional, slourl - Single Logout Service URL of the Service Provider
slobinding: string, optional, slobinding - Binding to be used for Single Logout service (“REDIRECT” or “POST”)
signrequests: boolean, optional, signrequests - Flag that indicates whether responses are signed by the Service Provider
wantassertionssigned: boolean, optional, wantassertionssigned - Flag that indicates whether Identity Provider should sign assertions
logoutresponsesigned: boolean, optional, logoutresponsesigned - Flag that indicates whether Identity Provider should sign logout requests
signkeystorepath: string, optional, signkeystorepath - Path to the keystore file to be used for signing
signkeystorepassword: string, optional, signkeystorepassword - Password of the keystore file to be used for signing
signkeystorealias: string, optional, signkeystorealias - Alias of the entry in the keystore
signmetadata: boolean, optional, signmetadata - Indicates whether to sign the metadata while exporting

Example

<cfscript>  
    adminObj = createObject("component","cfide.adminapi.administrator");  
    adminObj.login("admin");   
  
    // Instantiate the security object.  
  
    myObj = createObject("component","CFIDE.adminapi.security")   
  
    // setting up parameter values  
    spAlias="spAlias"  
    spDescription="sp description"   
    spEntityid="abc"   
    spAcsbinding="POST"   
    spAcsurl="http://localhost:8500/acsurl.cfm"  
  
    try{  
        myObj.addSpMetadata(alias = spAlias,  
                           description = spDescription,  
                           entityid = spEntityid,  
                           acsbinding = spAcsbinding,  
                           acsurl = spAcsurl)  
        writeOutput("SP added successfully")  
    }  
    catch (any e){  
        writeDump(e)  
    }  
</cfscript>

DeleteIdpMetadata

Deletes an Identity Provider configuration.

Parameters

alias: string, required, alias - Alias for the Identity Provider

Example

<cfscript>  
    adminObj = createObject("component","cfide.adminapi.administrator");  
    adminObj.login("admin"); 
  
  
    // Instantiate the security object.  
  
  
    myObj = createObject("component","CFIDE.adminapi.security")  
    alias="myalias"  
    try{  
        myObj.deleteIdpMetadata(alias)  
        writeOutput("IDP deleted successfully")  
    }  
    catch (any e){  
        writeDump(e)  
    }  
</cfscript>

DeleteSpMetadata

Deletes a Service Provider configuration.

Parameters

alias: string, required, alias - Alias for the Service Provider

Example

<cfscript>  
    adminObj = createObject("component","cfide.adminapi.administrator");  
    adminObj.login("admin"); 
  
    // Instantiate the security object.  
    myObj = createObject("component","CFIDE.adminapi.security")  
    alias="spAlias"  
    try{  
        myObj.deleteSpMetadata(alias)  
        writeOutput("SP deleted successfully")  
    }  
    catch (any e){  
        writeDump(e)  
    }  
</cfscript>

ExportSpMetadata

Exports the selected service provider configuration.

Parameters

alias: string, required, alias - Alias for the Service Provider

Example

<cfscript>  
    adminObj = createObject("component","cfide.adminapi.administrator");  
    adminObj.login("admin"); 
   
    // Instantiate the security object.  
   
    myObj = createObject("component","CFIDE.adminapi.security")  
    alias="spAlias"  
    try{  
        myObj.ExportSpMetadata(alias)  
        writeOutput("SP exported successfully")  
    }  
    catch (any e){  
        writeDump(e)  
    }  
</cfscript>

Note: The exported SP Metadata gets stored by default in cfinstance/lib/saml folder.

GetIdpMetadata

Returns the service provider configuration for a given alias in a struct

Parameters

alias: string, required, alias - Alias for the Service Provider

Example

<cfscript>  
    adminObj = createObject("component","cfide.adminapi.administrator");  
    adminObj.login("admin");   
 
    // Instantiate the security object.  
 
    myObj = createObject("component","CFIDE.adminapi.security")  
    alias="spAlias"  
    spMetadataDetails=myObj.getSpMetadata(alias)  
    writeDump(spMetadataDetails)  
</cfscript>

GetSpMetadata

Returns the service provider configuration for a given alias in a struct.

Parameters

alias: string, required, alias - Alias for the Service Provider

<cfscript>  
    adminObj = createObject("component","cfide.adminapi.administrator");  
    adminObj.login("admin");   
 
    // Instantiate the security object.  
 
    myObj = createObject("component","CFIDE.adminapi.security")  
    alias="spAlias"  
    spMetadataDetails=myObj.getSpMetadata(alias)  
    writeDump(spMetadataDetails)  
</cfscript>

ModifyIdpMetadata

Modifies an already existing Identity Provider configuration.

Parameters

oldalias: string, required, oldalias - Alias for the existing Identity Provider configuration
newalias: string, required, newalias - New alias for the Identity Provider configuration
url: string, optional, url - URL to import the metadata from
file: string, optional, file - File to import the metadata from
rawxml: string, optional, rawxml - Raw xml to import the metadata from
description: string, optional, description
entityid: string, optional, entityid - Unique Entity ID of the Identity Provider
ssourl: string, optional, ssourl - Single Sign On URL of the Identity Provider
ssobinding: string, optional, ssobinding - Binding to be used for Single Sign On service (“REDIRECT” or “POST”)
slourl: string, optional, slourl - Single Logout Service URL of the Identity Provider
slobinding: string, optional, slobinding - Binding to be used for Single Logout service (“REDIRECT” or “POST”)
logoutresponseurl: string, optional, logoutresponseurl - URL to redirect to after a logout request is received from the Identity Provider
signrequests: boolean, optional, signrequests - Flag that indicates whether responses are signed by the Identity Provider
encryptrequests: boolean, optional, encryptrequests - Flag that indicates whether responses are encrypted by the Identity Provider
signcertificate: string, optional, signcertificate - X509 certificate used for signing
encryptcertificate: string, optional, encryptcertificate - X509 certificate used for encryption

Example

<cfscript>  
    adminObj = createObject("component","cfide.adminapi.administrator");  
    adminObj.login("admin");  
   
    // Instantiate the security object.  
   
    myObj = createObject("component","CFIDE.adminapi.security")  
    oldalias="myalias"  
    newalias="newalias"  
    url="http://idp-url"  
    try{  
        myObj.modifyIdpMetadata(oldalias = oldalias, 
newalias = newalias, 
url = url)  
        writeOutput("IDP modified successfully")  
    }  
    catch(any e){  
        writeDump(e)  
    }  
</cfscript>

ModifySpMetadata

Modifies a Service Provider configuration.

Parameters

oldalias: string, required, oldalias - Old alias for the Service Provider
newalias: string, required, newalias - New alias for the Service Provider
description: string, optional, description
entityid: string, required, entityid - Unique Entity ID of the Service Provider
acsurl: string, required, acsurl - Assertion Consumer Service URL of the Service Provider
acsbinding: string, optional, acsbinding - Binding to be used for Single Sign On service (“REDIRECT” or “POST”)
slourl: string, optional, slourl - Single Logout Service URL of the Service Provider
slobinding: string, optional, slobinding - Binding to be used for Single Logout service(“REDIRECT” or “POST”)
signrequests: boolean, optional, signrequests - Flag that indicates whether responses are signed by the Service Provider
wantassertionssigned: boolean, optional, wantassertionssigned - Flag that indicates whether Identity Provider should sign assertions
logoutresponsesigned: boolean, optional, logoutresponsesigned - Flag that indicates whether Identity Provider should sign logout requests
signkeystorepath: string, optional, signkeystorepath - Path to the keystore file to be used for signing
signkeystorepassword: string, optional, signkeystorepassword - Password of the keystore file to be used for signing
signkeystorealias: string, optional, signkeystorealias - Alias of the entry in the keystore
signmetadata: boolean, optional, signmetadata - Indicates whether to sign the metadata while exporting

Example

<cfscript>  
    adminObj = createObject("component","cfide.adminapi.administrator");  
    adminObj.login("admin");   
 
    // Instantiate the security object.  
 
    myObj = createObject("component","CFIDE.adminapi.security")  
    oldalias="spAlias"  
    newalias="newalias"  
    acsurl = “http://sp.com” 
    entityid="http://entity-id-url/"  
    acsbinding="REDIRECT"  
    try{  
        myObj.modifySpMetadata(oldalias = oldalias, 
newalias = newalias, 
entityid = entityid, 
acsurl = acsurl, 
acsbinding = acsbinding) 
        writeOutput("SP modified successfully")  
    }  
    catch(any e){  
        writeDump(e)  
    }  
</cfscript>

Увійдіть до облікового запису