Every now and then the question pops up: “how can I import InCommon metadata into PingFederate”?
InCommon distributes SAML 2.0 metadata of all participants in the InCommon federation in a flat file. The individual EntityDescriptors of participants are included in a an outer XML element named EntitiesDescriptor. Out-of-the-box PingFederate won’t be able to consume this EntitiesDescriptor because it only knows how to deal with a (single) EntityDescriptor at a time.
The good news is that PingFederate has a number of APIs that can be leveraged to get around this current limitation. It is not difficult to build a script that parses the individual EntityDescriptors out of the outer EntitiesDescriptor and pushes them one-by-one over the API as single entities (cq. IDPs or SPs). A sample script that I wrote using the SOAP based Connection Management API can be found here:
Here’s a screenshot of how the Admin GUI screen looks after the import of 1653 SPs and 349 IDPs from InCommon:
And yes, this scripts works against arbitrary EntitiesDescriptors, e.g. the ones from the UK Access Federation or the Dutch SURFconext.
But there’s more: recently PingFederate has been extended with an Admin REST API. The REST API is even simpler to deal with than the SOAP API. As of today it only handles IDP connections but that functionality can already be used by an SP to process the InCommon metadata and e.g. update all of the certificates that have been replaced or renewed. In this way no manual update of key material is needed when IDPs rollover, add or remove signing certificates. The script can be found here:
So after importing or manually configuring a bunch of InCommon IDPs in PingFederate, the SP administrator can now run this script as a cronjob to automatically incorporate changes that the configured IDPs make to their signing keys.
In summary, these APIs and scripts allow for scaling up federation to large numbers of partners by automating maintenance tasks, and last but not least, it will make federation administrators sleep a lot better…