Federation Guides › Partnership Federation Guide › Federation Entity Configuration › Create an Entity by Importing Metadata

Create an Entity by Importing Metadata

You can import data from a metadata file to create a federation entity. Importing the metadata reduces the amount of configuration for creating a partnership.

You can use metadata in the following ways:

• Import data from a remote partner to create a new remote entity.
• Import data from a remote partner to update an existing remote entity.
• Import data from a local entity to create a new local entity.

  This option can be useful to facilitate a migration from another federation product.

  Note: Federation does not support metadata imports to update or restore an existing partnership and local entity. To update an existing local entity, edit the entity and modify the settings that you want to change. You can import metadata only to create a new local entity.

The process for creating a metadata-based entity is as follows:

1. Select a metadata file for configuring a new entity.
2. Select an entity entry from the metadata file. The file can include several entities, but one entity per file is recommended.
3. (Optional) Select the certificates to import into the certificate data store. The certificates must be in the metadata file.

   These certificates can be used for authentication request verification, single logout response verification (SAML 2.0), and encryption (SAML 2.0).

4. Confirm the entity configuration.

Details about these steps are described in the next sections.

Metadata File Selection

The first step to create an entity from metadata is to select the metadata file.

Follow these steps:

1. Log in to the Administrative UI.
2. Select Federation, Partnership Federation, Entities.
3. Click Import Metadata.

   The Import Metadata dialog opens.

   Click Help for the field descriptions.

4. Browse for the metadata file you want to use to create the entity.
5. Select whether to create a new local or remote entity, or update an existing remote entity.

   Note: The Policy Server does not support metadata imports to update an existing partnership and local entity. You can only create a new local entity. To update an existing local entity, edit the entity and modify the settings that you want to change. You can update the existing remote entities or you can create new remote entities.

6. Click Next to select entities from the file.

If you select a metadata file with expired entries, the next dialog that the UI displays contains a section listing the expired entries. You cannot select these expired entries; they are displayed for your reference. If all entities in a metadata file are expired, no entities are displayed. In this case, upload a new document.

Select an Entity to Import

This procedure assumes that you have already selected a metadata file to create an entity. Select the entity from the file.

Follow these steps:

1. Specify a name for the new entity in the Select Entity Defined in File dialog.

   If you are doing a local import to create an entity, define the partnership name.

2. Click on the option button to select the entity.
3. Click Next.

   The Import Certificates dialog displays if importing metadata for a remote entity and the document includes certificate data.

   If the metadata file that you imported contains certificate entries, you can import these entries.

Certificate Imports

To verify signed assertions, import certificates if the metadata includes them. If the metadata does not include certificates, skit this step and go to the Confirm step.

Follow these steps:

1. From the Import Certificates step, select the certificate entry or entries from the metadata file that you want to import.

   If you select a certificate file with invalid entries, the next dialog contains a section listing the expired entries. You cannot select these expired entries. They are displayed for your reference. If all entries in the file are invalid, the import wizard skips the certificate selection step.

   Specify a unique alias for each entry that you chose.

2. Click Next

   The Confirm dialog displays showing a table of entries.

   You can select two entries from a metadata file that have the same certificate. For SAML 1.1 and WS-Federation metadata, every entry shows Signing as the usage for the certificate because SAML 1.1 does not encrypt data.

   For SAML 2.0, each entry can show a different usage for the certificate, for example, one for signing, one for encryption. When you get to the Confirm step, the window shows a table with a single certificate entry. The certificate usage is listed as Signing and Encryption. This entry is the combination of the two entries you chose previously. This entry also uses the first alias that you specified for the certificate entry you selected.

   This situation occurs only if the same certificate was listed in the metadata file for both uses. If the file contains two separate certificates, the confirmation step shows both entries in the table.

   For example, you select two entries from the metadata file and you do not realize they are the same certificate. The first usage is Signing and you assign it the alias cert1. The second usage is Encryption and you assign it the alias cert2. When you confirm the import, you see a table titled Selected Certificate Data with an entry similar to the following entry:

   Alias Issued To Usage

   cert1 Jane Doe Signing and Encryption

   If no usage is specified in the metadata file, then the usage defaults to Signing and Encryption.

3. Click Next to finish the configuration.

Confirm the Entity Configuration

Review the entity configuration before saving it.

Follow these steps:

1. Review the settings in the entity dialog.
2. Click Back to modify any settings from this dialog.
3. Click Finish when you are satisfied with the configuration.

A new entity is configured.