You can obtain metadata for SAML 2.0 providers. However, metadata for SAML 2.0 might not be available for some service providers, and you need to enter the metadata manually.
NOTE:You can obtain metadata for SAML 2.0 providers either by the service provider or by the pre-built catalog connector configuration. See Custom Connectors in the Access Manager 5.0 Applications Configuration Guide.
You must click Manual Entry option when you create a trusted provider to be able to enter the metadata manually.
Click Devices > Identity Servers > Edit > SAML 2.0 > [Service Provider] > Metadata.
You can reimport the metadata (see Step 2) or edit it (see Step 3).
To reimport the metadata, click Reimport on the View page.
Follow the on-screen instructions to complete the steps through the wizard.
To edit the metadata manually, click Edit.
Specify the following details:
Provider ID: (Required) Specifies the SAML 2.0 metadata unique identifier for the provider. For example, https://<dns>:8443/nidp/saml2/metadata. Replace <dns> with the DNS name of the provider.
In the metadata, this is the entityID value.
Metadata expiration: Specifies the date upon which the metadata is no longer valid.
Want assertion to be signed: Specifies that authentication assertions from the trusted provider must be signed.
Artifact consumer URL: Specifies where the partner receives incoming SAML artifacts. For example, https://<dns>:8443/nidp/saml2/spassertion_consumer. Replace <dns> with the DNS name of the provider.
In the metadata, this URL value is found in the AssertionConsumerService section.
Post consumer URL: Specifies where the partner receives incoming SAML POST data. For example, https://<dns>:8443/nidp/saml2/spassertion_consumer. Replace <dns> with the DNS name of the provider.
In the metadata, this URL value is found in the AssertionConsumerService section of the metadata.
Service Provider: Specifies the public key certificate used to sign SAML data. You can browse to locate the service provider certificate.
You can add two signing certificates that is used by the service provider. To add a second certificate that is used by the service provider, click the Add icon (+), then browse to locate the required service provider certificate. Access Manager validates the service provider’s signed messages by using these signing certificates. Based on the certificate mentioned by the service provider in the SAML 2 messages, Access Manager picks the signing certificate from this list.
Click Finish.