PingFederate Server

Importing IdP metadata

You can use the PingFederate administrative console to import and update identity provider (IdP) metadata.

About this task

If you are using one of the SAML protocols without a connection template, you can expedite the setup by one of the following actions:

  • Import a metadata file

  • Select a metadata URL

When you select a metadata URL, PingFederate also enables the automatic update option and checks the metadata periodically. If PingFederate detects changes in the partner’s signing certificates for digital signature verification, encryption key, or contact information, it updates the connection automatically. For better housekeeping, the update process removes verification certificates from the connection when the partner no longer maintains them in its metadata. In a clustered environment, PingFederate automatically replicates verification certificates and encryption key changes to all engine nodes. Offline engine nodes will also consume these changes as they restart and rejoin the cluster. If you prefer to update the connection manually, you can clear the Enable Automatic Reloading check box.

You can configure reload frequency at System → Protocol Metadata → Metadata Settings → Metadata Lifetime tab. The default reload frequency is daily.

We recommend you turn on notifications for SAML metadata update events at System → Monitoring & Notifications → Runtime Notifications.

The notification message provides a list of the applicable items if the metadata contains changes that require additional configuration.

After creating the connection, you can add, remove, or change the metadata URL associated with the connection in the Metadata URL tab. In addition, you can toggle the Enable Automatic Reloading check box for the connection.

Using a metadata URL with automatic reloading streamlines the configuration process. For example, you can quickly establish a browser SSO connection to an InCommon-participating partner. For more information, see www.incommon.org/participants.

Steps

  1. Select from one of the following steps to import or update metadata.

    Metadata medium Steps

    Metadata file

    1. On the Import Metadata tab, select the File option.

    2. Choose the metadata file, and then click Next.

    If the metadata contains multiple entries, select the desired partner from the Select Entity ID list and click Next.

    If the metadata file is digitally signed but the verification certificate is provided outside of the metadata, import the metadata verification certificate on the Import Certificate tab, and then click Next.

    1. On the Metadata Summary tab, review the signature information to evaluate the authenticity of the metadata.

    Metadata URL

    1. On the Import Metadata tab, select the URL option.

    2. Select the metadata from the Metadata URL list.

    If the metadata you want is not shown in the list, click Manage Partner Metadata URLs. For more information, see Manage Partner metadata URLs.

    1. Optionally, clear the Enable Automatic Reloading check box to disable automatic update.

    A warning will display if you do not have runtime notifications enabled. To enable these notifications, go to System → Monitoring & Notifications → Runtime Notifications and select the Notification for SAML Metadata Update Events box.

    1. Click Load Metadata.

    If the metadata contains multiple entries, select the desired partner from the Select Entity ID list and click Next.

    If there is a digital signature error, click Manage Partner Metadata URLs to resolve the issue.

  2. Click Next.