The Liberty, SAML 1.1, and SAML 2.0 protocols contain pages for viewing and reimporting the metadata of the trusted providers. Only the SAML 1.1 protocol allows you to edit the metadata.
You might need to reimport a trusted provider’s metadata if you learn that it has changed. The metadata changes when you change the provider to use HTTPS rather than HTTP and when you change the certificate that it is using for SSL. The steps for reimporting the metadata are similar for Liberty and SAML protocols.
In the Administration Console, click
> > > .Click the trusted provider, then click the
tab.This page displays the current metadata the trusted provider is using.
To reimport the metadata:
Copy the URL in the providerID field (Liberty) or the entityID (SAML).
(SAML 1.1) Paste the URL to a file, click
, copy the to the file, then click .Click
.Follow the prompts to import the metadata.
For the metadata URL, paste in the value you copied.
If your Administration Console is installed with your Identity Server, you need to change the protocol from HTTPS to HTTP and the port from 8443 to 8080.
Confirm metadata certificates, then click
, or for an identity provider, click .(Identity Provider) Configure the card, then click
.For SAML 1.1, copy the value you saved into the
.Update the Identity Server.
You can review and confirm the certificate information for identity and service providers.
In the Administration Console, click
> > > > > > .View the following information is displayed for the certificates:
Subject: The subject name assigned to the certificate.
Validity: The first date the certificate was valid, and the date the certificate expires.
Issuer DN: The distinguished name of the Certificate Authority (CA) that created the certificate.
Algorithm: The name of the algorithm that was used to create the certificate.
Serial Number: The serial number that the CA assigned to the certificate.
Click
if you are viewing the information, or click or if you are creating a provider.Access Manager allows you to import metadata for SAML 1.1 providers. However, metadata for SAML 1.1 might not be available for some trusted providers, so you can enter metadata manually. The page for this is available if you clicked the created the trusted provider.
option when youIn the Administration Console, click
> > > > > .You can reimport the metadata (see Step 2) or edit it (see Step 4).
To reimport the metadata from a URL or text, click
on the View page.The system displays the Create Trusted Identity Provider Wizard that lets you obtain the metadata. Follow the on-screen instructions to complete the steps in the wizard.
Select either
or , then fill in the field for the metadata.To edit the metadata manually, click
.Fill in the following fields as necessary:
Supported Version: Specifies the version of SAML that you want to use. You can select SAML 1.0, SAML 1.1, or both SAML 1.0 and SAML 1.1.
Provider ID: (Required) The SAML 1.1 metadata unique identifier for the provider. For example, https://<dns>:8443/nidp/saml/metadata. Replace <dns> with the DNS name of the provider.
In the metadata, this is the entityID value.
Source ID: The SAML Source ID for the trusted provider. The Source ID is a 20-byte value that is used as part of the Browser/Artifact profile. It allows the receiving site to determine the source of received SAML artifacts. If none is specified, the Source ID is auto-generated by using a SHA-1 hash of the site provider ID.
Metadata expiration: The date upon which the metadata is no longer valid.
SAML attribute query URL: The URL location where an attribute query is to be sent to the partner. The attribute query requests a set of attributes associated with a specific object. A successful response contains assertions that contain attribute statements about the subject. A SAML 1.1 provider might use the base URL, followed by /saml/soap. For example, https://<dns>:8443/nidp/saml/soap. Replace <dns> with the DNS name of the provider.
In the metadata, this URL value is found in the AttributeService section of the metadata.
Artifact resolution URL: The URL location where artifact resolution queries are sent. A SAML artifact is included in the URL query string. The target URL on the destination site the user wants to access is also included on the query string. A SAML 1.1 provider might use the base URL, followed by /saml/soap. For example, https://<dns>:8443/nidp/saml/soap. Replace <dns> with the DNS name of the provider.
In the metadata, this URL value is found in the ArtifactResolutionService section of the metadata.
To specify signing certificate settings, fill in the following fields:
Attribute authority: Specifies the signing certificate of the partner SAML 1.1 attribute authority. The attribute authority relies on the identity provider to provide it with authentication information so that it can retrieve attributes for the appropriate entity or user. The attribute authority must know that the entity requesting the attribute has been authenticated to the system.
Identity provider: (Required) Appears if you are editing identity provider metadata. This field specifies the signing certificate of the partner SAML 1.1 identity provider. It is the certificate the partner uses to sign authentication assertions.
Click
.On the Identity Servers page, click
to update the configuration.Access Manager allows you to obtain metadata for SAML 1.1 providers. However, metadata for SAML 1.1 might not be available for some trusted providers, so you can enter the metadata manually. The page for this is available if you clicked the created the trusted provider.
option when youFor conceptual information about how Access Manager uses SAML, see Section B.0, Understanding How Access Manager Uses SAML.
In the Administration Console, click
> > > > > .You can reimport the metadata (see Step 2) or edit it (see Step 3).
To reimport the metadata, click
on the View page.Follow the on-screen instructions to complete the steps in the wizard.
To edit the metadata manually, click
.Fill in the following fields:
Supported Version: Specifies which version of SAML that you want to use. You can select SAML 1.0, SAML 1.1, or both SAML 1.0 and SAML 1.1.
Provider ID: (Required) Specifies the SAML 1.1 metadata unique identifier for the provider. For example, https://<dns>:8443/nidp/saml/metadata. Replace <dns> with the DNS name of the provider.
In the metadata, this is the entityID value.
Metadata expiration: Specifies the date upon which the metadata is no longer valid.
Want assertion to be signed: Specifies that authentication assertions from the trusted provider must be signed.
Artifact consumer URL: Specifies where the partner receives incoming SAML artifacts. For example, https://<dns>:8443/nidp/saml/spassertion_consumer. Replace <dns> with the DNS name of the provider.
In the metadata, this URL value is found in the AssertionConsumerService section of the metadata.
Post consumer URL: Specifies where the partner receives incoming SAML POST data. For example, https://<dns>:8443/nidp/saml/spassertion_consumer. Replace <dns> with the DNS name of the provider.
In the metadata, this URL value is found in the AssertionConsumerService section of the metadata.
Service Provider: Specifies the public key certificate used to sign SAML data. You can browse to locate the service provider certificate.
Click
.