If your partner's deployment does not produce or consume a metadata file that conforms to SAML metadata specifications, you may need to exchange connection information manually. The following sections list some common configuration details that must be exchanged if metadata files are not used. (These lists are not exhaustive.)

IdP to SP

If you are the IdP, your SP partner will need some or all of the following connection information (depending upon which profiles and bindings you are configuring):

  • Unique ID—Identifies the IdP that issues an assertion or other SAML message. For SAML 2.0, the ID is the IdP Entity ID; for SAML 1.x, it is the IdP Issuer; for WS-Federation, it is the IdP Realm.

    PingFederate also supports the optional use of virtual IDs (see Federation Server Identification).

  • SOAP Artifact Resolution URL—The endpoint your site uses to receive an SP's SOAP requests when the artifact binding is used.
  • Single Logout Service URL—The destination of SLO request messages.
  • Single Sign-On Service URL—The endpoint where you receive and process assertions.

SP to IdP

If you are the SP, your IdP partner will need some or all of the following connection information (depending upon which profiles and bindings you are configuring):

  • Unique ID—Identifies the SP. For SAML 2.0, the ID is the Entity ID; for SAML 1.x, it is the SP's Audience; for WS-Federation, it is the SP's Realm.

    PingFederate also supports the optional use of virtual IDs (see Federation Server Identification).

  • SOAP Artifact Resolution Service URL—The endpoint to use for SOAP requests when the artifact binding is used.
  • Single Logout Service URL (SAML 2.0)—The destination of SLO request messages.
  • Assertion Consumer Service URL—The location where the SP receives assertions.
  • Target URLs—The URLs for the protected resources that a user is trying to access.

Mutual settings between parties

Many settings must be mutually set by the parties. This information might include such items as:

  • Attributes—User information that will be sent in an assertion, if any (see User attributes).
  • Signing certificates—The SAML and WS-Federation protocols specify a number of conditions under which digital signatures are either required or optional (these conditions are built into the PingFederate connection-setup screens).
  • SOAP connection type and authentication style—For SAML connections using the back channel (using the artifact binding, for example), HTTP Basic authentication, SSL client certificate authentication, digital signatures, or some combination of the three is required. You and your partner must exchange the necessary credentials, certificates, and signing keys.