Configuration data exchange
If your partner’s deployment does not produce or consume a metadata file that conforms to SAML metadata specifications, you might need to exchange connection information manually. If the deployment does not use metadata, some common configuration details must be exchanged.
Identity provider (IdP) to service provider (SP)
If you are the IdP, your SP partner will need some or all of the following connection information, depending upon which profiles and bindings you configure:
-
Unique ID—Identifies the IdP that issues an assertion or other SAML message. For SAML 2.0, the ID is the IdP entity ID; for SAML 1.x, it is the IdP issuer; for WS-Federation, it is the IdP realm.
PingFederate also supports the optional use of virtual IDs. For more information, see Federation planning checklist.
-
SOAP artifact resolution URL—The endpoint your site uses to receive an SP’s SOAP requests when the artifact binding is used.
-
Single logout (SLO) service URL—The destination of SLO request messages.
-
Single sign-on (SSO) service URL—The endpoint where you receive and process assertions.
SP to IdP
If you are the SP, your IdP partner will need some or all of the following connection information depending upon which profiles and bindings you configure:
-
Unique ID—Identifies the SP. For SAML 2.0, the ID is the entity ID; for SAML 1.x, it is the SP’s audience; for WS-Federation, it is the SP’s realm.
PingFederate also supports the optional use of virtual IDs. For more information, see Federation planning checklist.
-
SOAP artifact resolution service URL—The endpoint to use for SOAP requests when the artifact binding is used.
-
Single logout service URL (SAML 2.0)—The destination of SLO request messages.
-
Assertion consumer service URL—The location where the SP receives assertions.
-
Target URLs—The URLs for the protected resources that a user is trying to access.
Mutual settings between parties
The parties must mutually determine the settings. These settings might include:
-
Attributes—User information sent in an assertion. For more information, see User attributes.
-
Signing certificates—SAML and WS-Federation protocols specify a number of conditions built into the PingFederate connection-setup windows that might or might not require digital signatures.
-
SOAP connection type and authentication style—For SAML connections using the back channel, such as artifact binding, HTTP Basic authentication, SSL client certificate authentication, digital signatures, or some combination of the three is required. You and your partner must exchange the necessary credentials, certificates, and signing keys.