PingFederate Server

Manage Partner metadata URLs

On the Security → Certificate & Key Management → Partner Metadata URLs window, you can add, update, review, or remove SAML metadata URLs provided by your partners.

SAML metadata URLs streamline the process of establishing and maintaining SAML connections. If your partner provides SAML metadata by URL, you can use the metadata URL for the following scenarios:

  • Creating a new SAML connection using the metadata URL and associating the metadata URL with the new connection

  • Enabling or disabling automatic updates from the associated metadata URL

  • Adding or updating the metadata URL associated with an existing SAML connection

  • Updating an existing SAML connection using the metadata URL instantly

You can quickly create connections with InCommon participants, update the connections automatically or manually as the InCommon participants update their metadata, and do so securely knowing PingFederate only commits changes to your connections after validating the digital signatures of the signed metadata.

When PingFederate accesses a digitally signed metadata URL for the first time, it validates the digital signature and stores the metadata URL and its verification certificate if the signature is correct. When an existing metadata URL is accessed, PingFederate validates the digital signature using the stored certificate. If there is a digital signature error, PingFederate aborts the process and provides an error with a recommended course of action. You can bypass the signature verification process.

Adding a new metadata URL

Use the Partner Metadata URLs window’s functionality to add a custom-configured metadata URL.

Steps

  1. On the Partner Metadata URLs window, click Add New URL.

  2. On the URL tab, define the metadata URL.

    1. Configure each field.

      Field Description

      Name

      A name of the metadata URL.

      URL

      The metadata URL.

      Validate Metadata Signature

      Determines whether PingFederate should validate the digital signature of signed metadata.

      Select the check box to verify digital signatures.

      Clear the check box to skip the signature verification process.

      This check box is selected by default.

    2. Click Load Metadata.

  3. On the Certificate Summary tab, review the certificate information.

    This is shown and applicable only when the Validate Metadata Signature check box on the URL tab is selected.

    • If the metadata is not digitally signed (unsigned), click Verify to confirm that the unsigned metadata is reachable at the time of the configuration.

    • If the metadata is signed but the certificate is provided outside of the metadata, click Import to upload the verification certificate.

  4. On the Summary tab, review the configuration. Click Done and Save.

Updating an existing metadata URL

Use the Partner Metadata URLs window’s functionality to update and correct the configuration of existing metadata.

Steps

  1. On the Partner Metadata URLs window, select the applicable metadata by its name.

  2. On the URL tab, update the name, URL, or digital signature verification option. Click Next.

  3. On the Certificate Summary tab, click Verify to confirm that the unsigned metadata is reachable at the time of the configuration or update the verification certificate of a signed metadata.

    This is shown and applicable only when the Validate Metadata Signature check box on the URL tab is selected.

  4. If the metadata is signed but the certificate is provided outside of the metadata, click Import to upload the verification certificate. Click Next.

  5. On the Summary tab, review the configuration, then click Done and Save.

Reviewing a metadata URL usage

Use the Partner Metadata URLs window’s functionality to look over a piece of metadata’s information.

Steps

  1. On the Partner Metadata URLs window, select Check Usage for the applicable metadata.

    The Check Usage option is shown and applicable only when the metadata is used by at least one connection.

  2. Review the information in the pop-up window.

  3. When finished, close the pop-up window.

Removing a metadata URL

Use the Partner Metadata URLs window’s functionality to delete an unwanted piece of metadata.

Steps

  1. On the Partner Metadata URLs window, select Delete for the applicable metadata.

    The Delete option is shown and applicable only when the metadata is not used by any connections.

    To cancel the removal request, select Undelete for the certificate.

  2. Click Save to confirm your action.