PingFederate Server

Exporting connection-specific SAML metadata

You can export metadata for any SAML browser single sign-on (SSO) connection to an XML file.

About this task

This is useful in a situation where you have already created a SAML browser SSO connection to your partner and the partner prefers consuming SAML metadata by file.

Steps

  1. Go to System → Protocol Metadata → Metadata Export.

  2. On the Metadata Role tab, select the applicable role, and click Next.

  3. On the Metadata Mode tab, select the Use a connection for metadata generation option.

    If the secondary HTTPS port is configured and you want to use it for the SOAP channel, select the Use the secondary port for SOAP channel check box.

    If certificate-based authentication is configured for the SOAP channel, you must configure the pf.secondary.https.port property in the <pf_install>/pingfederate/bin/run.properties file and select this check box.

  4. On the Connection Metadata tab, select the applicable SAML browser SSO connection from the list.

    Choose from:

    • Virtual Server ID

      If the selected connection contains two or more virtual server IDs, you must select the virtual server ID that you want to use during the export. The protocol endpoints in the metadata file are specific to the selected virtual server ID. If you decide to update the virtual server ID at a later time, re-export the connection metadata for your partners

    • Virtual Host Name

      If PingFederate is configured with one of more virtual server host names, you can select the applicable virtual host name from the list. If a selection is made, PingFederate use that virtual host name when generating the metadata file. If left blank, PingFederate uses its base URL in the metadata file. If you decide to update one or more virtual host names at a later time, re-export the connection metadata for your partners.

      On the Metadata Signing tab, select a certificate to use for signing the metadata XML file.Select a certificate from the Signing Certificate list.

      If you have not yet created or imported your certificate into PingFederate, click Manage Certificates and use the Certificate Management configuration wizard to complete the task.Select the related check boxes to include the public key information and the raw key in the signed XML file.Select a signing algorithm from the list.

    The default selection is RSA SHA256 or ECDSA SHA256, depending on the key algorithm of the chosen signing certificate. Make a different selection if you and your connection partner have agreed to use a stronger algorithm. For a list of the available signing algorithms and their URIs, see Signing algorithms.

  5. On the Export & Summary tab, click Export to save the metadata XML file, then click Done.

  6. Pass the metadata XML file to your partner.