In this post I wanted to focus a little more on the metadata file and look at the structure and some of the details within the file. If you are new to identity it’s good to find some time to become familiar with the metadata and some of the contents. There are lots of good documents out there but I’m just adding my own contribution here.
Both Microsoft and Okta’s documentation point to a single technical document that defines the SAML 2.0 standard and is an excellent reference guide.
Metadata Schema Relationships
The metadata is an XML file and it’s useful to get a visual feel for how all the components are linked. This is a nice simple reference point I like to use before getting into the detail and can help when you are troubleshooting.
This contains the EntityID value of your IdP\Issuer and supplies security tokens (SAML). You’ll notice that the url is https://sts.windows.net/31537af4-6d77-4bb9-a681-d2394888ea26. STS is abrievated for Secure Token Service. In this case our IdP is Azure AD and it supplies secure tokens.
When an application or service (SP) receives a SAML token it will need to validate it’s signature to check it’s valid by using the public certificate that is included in the metadata. This is to ensure the token has come from a trusted IdP (Issuer\STS)
These contain the sign-on and sign-out URL’s which are used to authenticate against or logout from the provider. In the example file above this would either logon to Azure AD or logout
This section of the metadata file contains details about the IDP and will include the following sections
- KeyDescriptor wraps the Public Keys, (X509 certificates), both the IdP and SP will share these.
- Single Sign On Service
- Single Logout Service
Hopefully this information will help you, the documents cover more elements around metadata if you want to do more reading on the subject
Part 4 coming soon