Large scale federations have more than 100+ identity and or service providers and it is a tedious task to establish bi-lateral relationships with Access Manager. You as an identity provider can now configure several identity providers and service providers by using a multi-entity metadata file available in a central repository. The identity and service providers can maintain a single metadata file containing metadata of all the approved partners. Identity providers and service providers submit their metadata that includes specifications of services offered (SAML 1.1 and SAML 2.0) and any other information. This feature is available only for SAML 1.1 and SAML 2.0.
For example, XYZ is an e-book store and several e-book stores, which are either identity providers or service providers, are partners of XYZ. Hence, XYZ maintains a single metadata file that contains metadata of all other stores. ABC an e-book identity provider wants to establish a federation with many other e-book stores. Hence, ABC partners with XYZ by sharing its metadata and XYZ in turn shares the metadata XML file. ABC imports the XML file available publicly on the internet (for example, http://xyz.commonfederation.org/xyz-metadata.xml) and establishes trusts with others in the federation, which includes XYZ’s trusted provider sites.
Click Devices > Identity Servers > Shared Settings > Metadata Repositories.
Click New and specify the following details:
Name: Specify a name for the metadata repository.
Description: Specify the description of the metadata repository.
Source: Select the source from which you want to import the metadata file.
To specify the URL location of the XML file in URL, select Metadata URL.
To specify the path of the XML file in File, select Metadata File.
Click Finish.
The details of the metadata such as the number of identity providers and service providers available in the metadata and expiry date of the metadata are displayed.
You can select the metadata repository and click Delete to delete the repository. If the metadata file is in use, you cannot delete it. Delete the trusted provider first and then delete the metadata file.
Select All to see a list of entities. If the entity is supporting it the respective protocol will be checked.
When the metadata repositories are imported, the entities available in the metadata repository can be assigned as trusted provider to any of the Identity Server clusters. To create trusted providers, see Section 2.7.3, Managing Trusted Providers.
Reimport the metadata repository to get the updated XML.
Click Devices > Identity Servers > Shared Settings > Metadata Repositories.
Click the metadata repository you created and click Reimport.
Specify the URL location of the XML file in URL and click Next.
The page displays the following information:
New Entities added to the repositories: If the entities are updated or deleted and are assigned as trusted providers to an Identity Server cluster, the Identity Server cluster name is displayed in brackets next to the entity ID.
Entities Deleted from the repositories: If the entity is updated and is assigned as a trusted provider to an Identity Server cluster, that trusted provider will be updated. You must update Identity Server cluster for the changes to take effect.
Entities Updated in the repositories: If an entity is deleted and was assigned as trusted provider to an Identity Server cluster, the link between the trusted provider and the metadata repository entity is deleted.
NOTE:The corresponding trusted provider is not deleted. Delete the trusted provider manually.
Click Finish to apply the changes.