In this post I wanted to focus a little more on the metadata file and look at the structure and some of the details within the file. If you are new to identity it’s good to find some time to become familiar with the metadata and some of the contents. There are lots of good documents out there but I’m just adding my own contribution here.

Both Microsoft and Okta’s documentation point to a single technical document that defines the SAML 2.0 standard and is an excellent reference guide.

Metadata Schema Relationships

The metadata is an XML file and it’s useful to get a visual feel for how all the components are linked. This is a nice simple reference point I like to use before getting into the detail and can help when you are troubleshooting.

Here’s a metadata file from Azure AD. There are several key elements in the file which are useful to know, some of these I highlighted in Part 2

Azure Federation Metadata


This contains the EntityID value of your IdP\Issuer and supplies security tokens (SAML). You’ll notice that the url is STS is abrievated for Secure Token Service. In this case our IdP is Azure AD and it supplies secure tokens.


When an application or service (SP) receives a SAML token it will need to validate it’s signature to check it’s valid by using the public certificate that is included in the metadata. This is to ensure the token has come from a trusted IdP (Issuer\STS)

SAML Endpoint

These contain the sign-on and sign-out URL’s which are used to authenticate against or logout from the provider. In the example file above this would either logon to Azure AD or logout


This section of the metadata file contains details about the IDP and will include the following sections

  • KeyDescriptor wraps the Public Keys, (X509 certificates), both the IdP and SP will share these.
  • Single Sign On Service
  • Single Logout Service

Hopefully this information will help you, the documents cover more elements around metadata if you want to do more reading on the subject

Part 4 coming soon