Previous Topic: User Provisioning at the Relying PartyNext Topic: Log Files that Aid Troubleshooting

Federation GuidesPartnership Federation GuideExport Metadata to Aid Partnership Configuration

Export Metadata to Aid Partnership Configuration

This section contains the following topics:

Metadata Export Overview

Entity-level Metadata Export

Partnership-Level Metadata Export

How To Enable WS-Federation Metadata Exchange

Metadata Export Overview

A local entity generates metadata to help a remote entity create its entities and form partnerships. Metadata makes the partnership configuration more efficient because many aspects of the partnership are defined in the metadata file. A remote partner can import metadata and can create a partnership or a remote entity that is based on the information in a metadata document.

You can export metadata from an existing local asserting or relying entity.

The Administrative UI offers several options for exporting metadata:

Regardless of whether you send metadata using a file or using the metadata exchange profile, the end goal of acquiring metadata is the same.

Note: For SAML 1.1, the terms in a metadata file are SAML 2.0 terms. This convention adheres to the SAML specification. When you import the SAML 1.1 data, the terms are imported correctly using SAML 1.1 terminology.

Entity-level Metadata Export

You can export data from a local entity. When you export metadata at the entity level, provide a partnership name for the data you are exporting. The export at this level defines basic partnership data.

Follow these steps:

  1. Log in to the Administrative UI
  2. Select Federation, Partnership Federation, Entities.
  3. Click the Action pull-down menu next to any local entity in the list and select Export Metadata.

    The Export Metadata dialog opens.

  4. Specify a new partnership name. The metadata file that results from the export contains information to establish a basic partnership.
  5. Complete the remaining fields on the dialog. Be sure to fill in the settings in the Metadata Export Options section of the dialog.

    Note: Click Help for a description of fields.

  6. Click Export.
  7. A dialog prompting you to open or save the metadata file displays.

    Only open it to view it.

  8. Save the data to an XML file on your local system.

The metadata is exported to the specified XML file. You can send this file to any partner.

Partnership-Level Metadata Export

You can export data from a local partnership. The export at this level defines basic partnership data.

Follow these steps:

  1. Log in to the Administrative UI
  2. Select Federation, Partnership Federation, Partnerships.
  3. Select the Action pull-down menu next to any partnership in the list.
  4. Select Export Metadata.

    The Export Metadata dialog opens.

  5. Review the information. The metadata file that results from the export contains information to establish a basic partnership.
  6. Complete the settings in the Metadata Export Options section for signing the metadata document and validating it.

    Note: Click Help for a description of fields, controls, and their respective requirements.

  7. Click Export.
  8. A dialog prompting you to open or save the metadata file displays.

    Only open it to view it.

  9. Save the data to an XML file on your local system.

The metadata is exported to the specified XML file. You can send this file to any partner.

How To Enable WS-Federation Metadata Exchange

The Policy Server supports the Web Services Metadata Exchange profile for WS-Federation partnerships. This web service enables the CA SiteMinder® local partner to respond to requests from a remote partner for metadata. The exchange occurs as an HTTP request and response.

The use of the HTTP protocol lets a remote entity configure the federation programmatically. An application can use the URL to gather the necessary information.

The following graphic shows the configuration steps for metadata exchange.

Configuration steps for WSFED metadata exchange

Complete the following configuration for metadata exchange:

  1. Review the metadata exchange transaction flow.
  2. Give the metadata exchange URL to your partner.
  3. Enable WSFED metadata exchange.
Metadata Exchange Transaction Flow

A metadata exchange transaction has the following process flow:

  1. A remote partner sends a request to the metadata exchange URL provided by the local partner.
  2. The local partner sends the metadata back in an HTTP response to the remote partner. The Policy Server secures the metadata by signing the response. The certificate that lets the remote partner verify the response is in the response.

    The Policy Server generates the metadata document at the time of the request. This document is not stored at the local partner.

  3. The remote partner verifies the signature of the response. Assuming the signature is valid, it parses the metadata document and uses the information to establish entities and partnerships.
Give the Metadata Exchange URL to Your Partner

Before any metadata transaction occurs, give the URL for metadata exchange requests to your remote partners. A federated partner must send the request to the following URL:

https://server:port/affwebservices/public/FederationMetadata/partnership_name

server:port

Name of the system hosting the metadata exchange service.

partnership_name

Name of a configured partnership.

Enable WSFED Metadata Exchange

Enable the metadata exchange feature at a local WS-Federation partner.

Follow these steps:

  1. Log in to the Administrative UI.
  2. Select the WSFED partnership that you want to modify.
  3. In the Configure Partnership step of the partnership wizard, select the Enable Metadata Exchange check box.
  4. Navigate to the Confirm step and click Finish.
  5. Return to the main Partnership Federation tab (Federation, Partnership Federation).
  6. Select Metadata Exchange Configuration in the left pane.

    The Metadata Exchange Configuration screen displays.

  7. Provide the values to sign the response.
  8. Click Save.

Metadata exchange is now configured for the partnership.