Lenore Tumey

Use SAML metadata to streamline configuration

Blog Post created by Lenore Tumey Employee on Dec 18, 2015

Exchanging SAML metadata is an easy way to make sure that the Service Provider and Identity Provider have compatible configurations.  If your IdP doesn’t support the use of metadata, though, admins are left to manually configure everything, and that introduces human error.  Imagine if you were to receive metadata like this from a Service Provider, and had to figure out what that meant in terms of a corresponding IdP configuration?:

 

<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://saml.exampleapp.com" validUntil="2025-07-22T01:50:13.184Z"><md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICujCCAaKgAwIBAgIGAVG3rVFIMA0GCSqGSIb3DQEBCwUAMB4xHDAaBgNVBAMT

E3NhbWwuZXhhbXBsZWFwcC5jb20wHhcNMTUxMjE5MDAzOTI3WhcNMTkxMjE5MDAz

OTI3WjAeMRwwGgYDVQQDExNzYW1sLmV4YW1wbGVhcHAuY29tMIIBIjANBgkqhkiG

9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvOJHL/8SbjV3WZ/wj2l/ra+a6Emmo0hQUo4U

Tgdj+IeSOng8dklK9p3TtfCzx9i4mqw20yal4PMYwp9F0SH1FujQ6p9e662hNMS5

AokWfMg0p4gj8LkRFHETxJzgNevEmRoUUy1HnLsocAv2ORQbzRws2m6AqRJESiIF

SW57vOl5bYzGQ2jRMm2+1UgBxCyTLRcUyF859CpEoQiX6mWnw7fOgFoY27NrXmQg

if++ms/GOIAj2O3hW+gX0ZAgBWKLJdbsLvf5gXe+aELj5XTXe28eseDqiOsGqbA8

JMclyOyhT4uNR2TkLmz4I5CG505DIzZzzCQH72OcjlX9SZv+ewIDAQABMA0GCSqG

SIb3DQEBCwUAA4IBAQConpu5liGIPB2hBSRWxJCDtAzD2dXsaAXaAQZP4qJF2JWA

BSLMMkP6E+HTgUmv0DF1AYwk5KTwhJVk3QH/g6yXSdzO9S9U5b7mrvt5lK0tkdSa

neEqHjTF9kOuVreQtX7vSFZ/yfRYVa99YuGJU5n3lvp8detfGyYa+MaRVA2+UaHJ

sLof1KoTr43mm9SXvwhLWN81b4njF1IrbhctGHvqhB2n3Nx6UiMSmlcxzStPq+zb

3cw3iqnRMr6jlPXspWK1gjqbNJfMvPxSbZpotc46ur3wCDLEwLrQpsj2bu8G64n7

erAbsPSqkUHpn1yd+NAlUs/2qr5LoNg9Hit12Nvk</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.exampleapp.com?so=00D1a000000JmBn" index="0" isDefault="true"/></md:SPSSODescriptor></md:EntityDescriptor>

 

 

Sure, it’s possible to do — maybe run it through an XML formatter to make it a little easier to read, then copy and paste the certificate into a file that you can upload, figure out exactly what each field really means, copy and paste those values to the right places in your config, check the right checkboxes, etc. etc. 

 

 

...Or you could just use an Identity Provider that supports importing SAML metadata, in the first place.

 

 

In RSA Via Access, for example, you can import SAML metadata into any SAML application configuration, whether you’re setting up an application from the catalog, or using the SAML template.  Just click the Import Metadata button on the Connection Profile page, specify the metadata file you want to use, and check out all the settings that will be applied, before saving:

 


After you've imported the SP metadata, you can still review the overall configuration and make any special adjustments you might need (like selecting which of your AD attributes you want to use for the NameID), before saving the application and publishing your changes.

Outcomes