7.9 Managing Metadata

7.9.1 Viewing and Reimporting a Trusted Provider’s Metadata

You might need to reimport a trusted provider’s metadata if you learn that it has changed. The metadata changes when you change the provider to use HTTPS rather than HTTP and when you change the certificate that it is using for SSL. The steps for reimporting the metadata are similar for Liberty and SAML protocols.

NOTE:The trusted providers that are from the metadata repository cannot be reimported from this option. Go to Shared Settings > > Metadata Repositories and click on the metadata repository created to reimport the trusted provider.

  1. In the Administration Console, click Devices > Identity Servers > Edit > [Protocol].

  2. Click the trusted provider, then click the Metadata tab.

    This page displays the current metadata the trusted provider is using.

  3. To reimport the metadata:

    1. Copy the URL in the providerID field (Liberty) or the entityID (SAML).

    2. (SAML 1.1) Paste the URL to a file, click Authentication Card, copy the Login URL to the file, then click Metadata.

    3. Click Reimport.

    4. Follow the prompts to import the metadata.

      For the metadata URL, paste in the value you copied.

      If your Administration Console is installed with your Identity Server, you need to change the protocol from HTTPS to HTTP and the port from 8443 to 8080.

  4. Confirm metadata certificates, then click Finish, or for an identity provider, click Next.

  5. (Identity Provider) Configure the card, then click Finish.

    For SAML 1.1, copy the value you saved into the Login URL.

  6. Update the Identity Server.

NOTE:Reimport support is not available for SAML 1.1 and SAML 2.0 protocols.

7.9.2 Viewing Trusted Provider Certificates

You can review and confirm the certificate information for identity and service providers.

  1. In the Administration Console, click Devices > Identity Servers > Edit > [Protocol] > [Name of Provider] > Metadata > Certificates.

  2. View the following information is displayed for the certificates:

    Subject: The subject name assigned to the certificate.

    Validity: The first date the certificate was valid, and the date the certificate expires.

    Issuer DN: The distinguished name of the Certificate Authority (CA) that created the certificate.

    Algorithm: The name of the algorithm that was used to create the certificate.

    Serial Number: The serial number that the CA assigned to the certificate.

  3. Click OK if you are viewing the information, or click Next or Finish if you are creating a provider.

7.9.3 Editing a SAML 1.1 Identity Provider’s Metadata

Access Manager allows you to import metadata for SAML 1.1 providers. However, metadata for SAML 1.1 might not be available for some trusted providers, so you can enter metadata manually. The page for this is available if you clicked the Manual Entry option when you created the trusted provider.

  1. In the Administration Console, click Devices > Identity Servers > Edit > SAML 1.1 > [Identity Provider] > Metadata.

    You can reimport the metadata (see Step 2) or edit it (see Step 4).

  2. To reimport the metadata from a URL or text, click Reimport on the View page.

    The system displays the Create Trusted Identity Provider Wizard that lets you obtain the metadata. Follow the on-screen instructions to complete the steps in the wizard.

  3. Select either Metadata URL or Metadata Text, then fill in the field for the metadata.

  4. To edit the metadata manually, click Edit.

    SAML 1.1 identity provider manual metadata entry
  5. Fill in the following fields as necessary:

    Supported Version: Specifies the version of SAML that you want to use. You can select SAML 1.0, SAML 1.1, or both SAML 1.0 and SAML 1.1.

    Provider ID: (Required) The SAML 1.1 metadata unique identifier for the provider. For example, https://<dns>:8443/nidp/saml/metadata. Replace <dns> with the DNS name of the provider.

    In the metadata, this is the entityID value.

    Source ID: The SAML Source ID for the trusted provider. The Source ID is a 20-byte value that is used as part of the Browser/Artifact profile. It allows the receiving site to determine the source of received SAML artifacts. If none is specified, the Source ID is auto-generated by using a SHA-1 hash of the site provider ID.

    Metadata expiration: The date upon which the metadata is no longer valid.

    SAML attribute query URL: The URL location where an attribute query is to be sent to the partner. The attribute query requests a set of attributes associated with a specific object. A successful response contains assertions that contain attribute statements about the subject. A SAML 1.1 provider might use the base URL, followed by /saml/soap. For example, https://<dns>:8443/nidp/saml/soap. Replace <dns> with the DNS name of the provider.

    In the metadata, this URL value is found in the AttributeService section of the metadata.

    Artifact resolution URL: The URL location where artifact resolution queries are sent. A SAML artifact is included in the URL query string. The target URL on the destination site the user wants to access is also included on the query string. A SAML 1.1 provider might use the base URL, followed by /saml/soap. For example, https://<dns>:8443/nidp/saml/soap. Replace <dns> with the DNS name of the provider.

    In the metadata, this URL value is found in the ArtifactResolutionService section of the metadata.

  6. To specify signing certificate settings, fill in the followi

    ng fields:

    Attribute authority: Specifies the signing certificate of the partner SAML 1.1 attribute authority. The attribute authority relies on the identity provider to provide it with authentication information so that it can retrieve attributes for the appropriate entity or user. The attribute authority must know that the entity requesting the attribute has been authenticated to the system.

    Identity provider: (Required) Appears if you are editing identity provider metadata. This field specifies the signing certificate of the partner SAML 1.1 identity provider. It is the certificate the partner uses to sign authentication assertions.

  7. Click OK.

  8. On the Identity Servers page, click Update All to update the configuration.

7.9.4 Editing a SAML 1.1 Service Provider’s Metadata

Access Manager allows you to obtain metadata for SAML 1.1 providers. However, metadata for SAML 1.1 might not be available for some trusted providers, so you can enter the metadata manually. The page for this is available if you clicked the Manual Entry option when you created the trusted provider.

For conceptual information about how Access Manager uses SAML, see Section B.0, Understanding How Access Manager Uses SAML.

  1. In the Administration Console, click Devices > Identity Servers > Edit > SAML 1.1 > [Service Provider] > Metadata.

    You can reimport the metadata (see Step 2) or edit it (see Step 3).

  2. To reimport the metadata, click Reimport on the View page.

    Follow the on-screen instructions to complete the steps in the wizard.

  3. To edit the metadata manually, click Edit.

    SAML 1.1 identity provider manual metadata entry
  4. Fill in the following fields:

    Supported Version: Specifies which version of SAML that you want to use. You can select SAML 1.0, SAML 1.1, or both SAML 1.0 and SAML 1.1.

    Provider ID: (Required) Specifies the SAML 1.1 metadata unique identifier for the provider. For example, https://<dns>:8443/nidp/saml/metadata. Replace <dns> with the DNS name of the provider.

    In the metadata, this is the entityID value.

    Metadata expiration: Specifies the date upon which the metadata is no longer valid.

    Want assertion to be signed: Specifies that authentication assertions from the trusted provider must be signed.

    Artifact consumer URL: Specifies where the partner receives incoming SAML artifacts. For example, https://<dns>:8443/nidp/saml/spassertion_consumer. Replace <dns> with the DNS name of the provider.

    In the metadata, this URL value is found in the AssertionConsumerService section of the metadata.

    Post consumer URL: Specifies where the partner receives incoming SAML POST data. For example, https://<dns>:8443/nidp/saml/spassertion_consumer. Replace <dns> with the DNS name of the provider.

    In the metadata, this URL value is found in the AssertionConsumerService section of the metadata.

    Service Provider: Specifies the public key certificate used to sign SAML data. You can browse to locate the service provider certificate.

  5. Click Finish.

7.9.5 Editing a SAML 2.0 Service Provider’s Metadata

Access Manager allows you to obtain metadata for SAML 2.0 providers. However, metadata for SAML 2.0 might not be available for some service providers, so you can enter the metadata manually. The page for this is available if you clicked the Manual Entry option when you created the trusted provider.

For conceptual information about how Access Manager uses SAML, see Section B.0, Understanding How Access Manager Uses SAML.

  1. In the Administration Console, click Devices > Identity Servers > Edit > SAML 2.0 > [Service Provider] > Metadata.

    You can reimport the metadata (see Step 2) or edit it (see Step 3).

  2. To reimport the metadata, click Reimport on the View page.

    Follow the on-screen instructions to complete the steps in the wizard.

  3. To edit the metadata manually, click Edit.

  4. Fill in the following fields:

    Provider ID: (Required) Specifies the SAML 2.0 metadata unique identifier for the provider. For example, https://<dns>:8443/nidp/saml2/metadata. Replace <dns> with the DNS name of the provider.

    In the metadata, this is the entityID value.

    Metadata expiration: Specifies the date upon which the metadata is no longer valid.

    Want assertion to be signed: Specifies that authentication assertions from the trusted provider must be signed.

    Artifact consumer URL: Specifies where the partner receives incoming SAML artifacts. For example, https://<dns>:8443/nidp/saml2/spassertion_consumer. Replace <dns> with the DNS name of the provider.

    In the metadata, this URL value is found in the AssertionConsumerService section of the metadata.

    Post consumer URL: Specifies where the partner receives incoming SAML POST data. For example, https://<dns>:8443/nidp/saml2/spassertion_consumer. Replace <dns> with the DNS name of the provider.

    In the metadata, this URL value is found in the AssertionConsumerService section of the metadata.

    Service Provider: Specifies the public key certificate used to sign SAML data. You can browse to locate the service provider certificate.

  5. Click Finish.