SAML IDP Metadata
Learn about the metadata publication capabilities of the SAML IDP Service.
Metadata#
The SAML IDP Profile can publish metadata when this is enabled on the profile configuration . Once enabled, metadata
is made available on the Web SSO endpoint under the /metadata sub path, where it can be discovered by SAML Service
Providers to learn about the SAML IDP Service and to configure their interactions with it.
For example, if the Curity Identity Server instance is hosted at https://idp.example.com, and the SSO endpoint is
deployed at /idp/sso, then the metadata (when enabled) is published at https://idp.example.com/idp/sso/metadata.
The metadata includes the following information about the SAML IDP Service:
| Metadata | Description |
|---|---|
KeyDescriptor | The key or certificate that can be used to verify signatures of messages that are sent by the SAML IDP |
NameIDFormat | The supported NameID format |
SingleSignOnService | The URL- and Protocol Binding that the SAML IDP supports |
An example of the metadata that the SAML IDP Profile publishes, is shown below:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://idp.example.com/idp/sso/metadata">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<X509Data>
<X509Certificate>
...
</X509Certificate>
</X509Data>
</KeyDescriptor>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://idp.example.com/idp/sso" />
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://idp.example.com/idp/sso" />
</IDPSSODescriptor>
</EntityDescriptor>