9.5 Editing a SAML 1.1 Trusted Identity Provider’s Metadata

Access Manager allows you to obtain metadata for SAML 1.1 providers. However, metadata for SAML 1.1 might not be available for some trusted providers. Therefore, you can enter metadata manually. The page for this is available if you clicked the Manual Entry option when you created the trusted provider.

IMPORTANT:The SAML 2.0 and Liberty 1.2 protocols define a logout mechanism whereby the service provider sends a logout command to the trusted identity provider when a user logs out at a service provider. SAML 1.1 does not provide such a mechanism. For this reason, when a log-out occurs at the SAML 1.1 service provider, no log-out occurs at the trusted identity provider. A valid session is still running at the identity provider, and no credentials need to be entered. In order to log out at both providers, the user must navigate to the identity provider that authenticated him to the SAML 1.1 service provider and log out manually.

For conceptual information about how Access Manager uses SAML, see Section B.0, Understanding How Access Manager Uses SAML.

  1. In the Administration Console, click Access Manager > Identity Servers > Edit > SAML 1.1 > [Identity Provider] > Metadata.

  2. To reimport the metadata from a URL or text, click View, then click Reimport.

    The system displays the Create Trusted Identity Provider Wizard that lets you obtain the metadata. Follow the on-screen instructions to complete the steps in the wizard.

  3. To edit the metadata manually, click Edit.

    SAML 1.1 identity provider manual metadata entry

  4. Fill in the following fields as necessary:

    Supported Version: Specifies the version of SAML that you want to use.

    Provider ID: (Required) The SAML 1.1 metadata unique identifier for the provider. For example, https://dns.name:port/nidp/saml/metadata.

    Source ID: The SAML Source ID for the trusted provider. The Source ID is a 20-byte value that is used as part of the Browser/Artifact profile. It allows the receiving site to determine the source of received SAML artifacts. If none is specified, the Source ID is auto-generated using a SHA-1 hash of the site provider ID.

    Metadata expiration: The date upon which the metadata is no longer valid.

    SAML attribute query URL: The URL location where an attribute query is to be sent to the partner. The attribute query requests a set of attributes associated with a specific object. A successful response contains assertions that contain attribute statements about the subject. A SAML 1.1 provider might use the base URL, followed by /saml/soap. For example, https://[dns:port]/nidp/saml/soap.

    Artifact resolution URL: The URL location where artifact resolution queries are sent. A SAML artifact is included in the URL query string. The target URL on the destination site the user wants to access is also included on the query string. A SAML 1.1 provider might use the base URL, followed by /saml/soap. For example, https://[dns:port]/nidp/saml/soap.

  5. To specify signing certificate settings, fill in the following fields:

    Attribute authority: Specifies the signing certificate of the partner SAML 1.1 attribute authority. The attribute authority relies on the identity provider to provide it with authentication information so that it can retrieve attributes for the appropriate entity or user. The attribute authority must know that the entity requesting the attribute has been authenticated to the system.

    Identity provider: (Required) Appears if you are editing identity provider metadata. This field specifies the signing certificate of the partner SAML 1.1 identity provider. It is the certificate the partner uses to sign authentication assertions.

  6. Click OK.

  7. On the Identity Servers page, click Update All to update the configuration.