When the service provider tries to access the metadata on the identity provider, it sends the request to the hostname defined in the base URL configuration of Identity Server. The base URL in Identity Server configuration is used to build all the metadata end points.
To view the metadata of Identity Server with a DNS name of idpcluster.lab.novell.com, enter the following URL:
https://idpcluster.lab.novell.com:8443/nidp/idff/metadata
Check the document and locate references to https://idpcluster.lab.novell.com/... You should see lines similar to the following:
<md:SoapEndpoint> https://idpcluster.lab.novell.com:8443/nidp/idff/soap </md:SoapEndpoint> <md:SingleLogoutServiceURL> https://idpcluster.lab.novell.com:8443/nidp/idff/slo </md:SingleLogoutServiceURL> <md:SingleLogoutServiceReturnURL> https://idpcluster.lab.novell.com:8443/nidp/idff/slo_return </md:SingleLogoutServiceReturnURL>
Access Gateway ESP must be able to resolve the idpcluster.lab.novell.com hostname of Identity Server. To test that it is resolvable, send a ping command with the hostname of Identity Server. For example, from Access Gateway:
ping idpcluster.lab.novell.com
The same is true for Identity Server. It must be able to resolve the hostname of Access Gateway. To discover the URL for Access Gateway metadata:
Click Devices > Access Gateways > Edit > Reverse Proxy/Authentication.
View the Embedded Service Provider section.
The URL of the metadata is displayed in this section.
To view the metadata, enter the displayed URL. Scan through the document and notice the multiple references to the hostname of Access Gateway.
You should see lines similar to the following. In these lines, the hostname is ag1.provo.novell.com.
<md:SoapEndpoint> http://ag1.provo.novell.com:80/nesp/idff/spsoap </md:SoapEndpoint> <md:SingleLogoutServiceURL> http://ag1.provo.novell.com:80/nesp/idff/spslo </md:SingleLogoutServiceURL> <md:SingleLogoutServiceReturnURL> http://ag1.provo.novell.com:80/nesp/idff/spslo_return </md:SingleLogoutServiceReturnURL>
To test that Identity Server can resolve the hostname of Access Gateway, send a ping command with the hostname of Access Gateway. For example, from Identity Server:
ping ag1.provo.novell.com
To view sample log entries that are logged when a DNS name cannot be resolved, see ESP Cannot Resolve the Base URL of Identity Server.