SAML metadata URL streamlines the processes of establishing and maintaining SAML connections. If your partner provides SAML metadata by URL, you may use the metadata URL for the following scenarios:
- Create a new SAML connection using the metadata URL and associate the metadata URL with the new connection.
- Enable or disable automatic update from the associated metadata URL.
- Add or update the metadata URL associated with an existing SAML connection.
- Update an existing SAML connection using the metadata URL instantly.
You can quickly create connections with InCommon participants, update the connections automatically or manually as the InCommon participants update their metadata, and do so securely knowing PingFederate only commits changes to your connections after validating the digital signatures of the signed metadata.
When PingFederate accesses a digitally signed metadata URL for the first time, it validates the digital signature and stores the metadata URL and its verification certificate if the signature is correct. When an existing metadata URL is accessed subsequently for any of the aforementioned scenarios, PingFederate validates the digital signature using the previously stored certificate. If the signature is correct, the process carries on. If there is a digital signature error, PingFederate aborts the process and provides an error with a recommended course of action. As needed, the signature verification process can be bypassed.
Use the screen to add, update, review, or remove SAML metadata URLs provided by your partners.
Adding a new metadata URL
- On the Partner Metadata URLs screen, click Add New URL.
- On the URL screen, define the metadata URL.
- Configure each field.
Field Description Name A friendly name of the metadata URL. URL The metadata URL. Validate Metadata Signature Determines whether PingFederate should validate the digital signature of signed metadata. Select the check box to verify digital signature.
Clear the check box to skip the signature verification process.
This check box is selected by default.
- Click Load Metadata.
- Configure each field.
- On the Certificate Summary screen, review the certificate
information.
Shown and applicable only when the Validate Metadata Signature check box on the URL screen is selected.
- If the metadata is not digitally signed (unsigned), click Verify to confirm that the unsigned metadata is reachable at the time of the configuration.
- If the metadata is signed but the certificate is provided outside of the metadata, click Import to upload the verification certificate.
- On the Summary screen, review the configuration. Then, click Done and Save.
Updating an existing metadata URL
- On the Partner Metadata URLs screen, select the applicable metadata by its name.
- On the URL screen, update the name, URL, or digital signature verification option. Then, click Next.
- On the Certificate Summary screen, click
Verify to confirm that the unsigned metadata is reachable
at the time of the configuration or update the verification certificate of a signed
metadata.
Shown and applicable only when the Validate Metadata Signature check box on the URL screen is selected.
If the metadata is signed but the certificate is provided outside of the metadata, click Import to upload the verification certificate.
- Click Next.
- On the Summary screen, review the configuration, then click Done and Save.
Reviewing a metadata URL usage
- On the Partner Metadata URLs screen, select Check
Usage under Action for the applicable
metadata.
The Check Usage option is shown and applicable only when the metadata is used by at least one connection.
- Review the information in the pop-up window.
When finished, close the pop-up window.
Removing a metadata URL
- On the Partner Metadata URLs screen, select
Delete under Action for the
applicable metadata.
The Delete option is shown and applicable only when the metadata is not used by any connections.
To cancel the removal request, select Undelete under Action for the certificate.
- Click Save to confirm your action.