Federation Security Services Guide › Use SAML 2.0 Provider Metadata To Simplify Configuration › Export Metadata Tool

Export Metadata Tool

You can use the export tool in the following situations:

• Create an Identity Provider metadata file for use by Service Providers

  To facilitate federation with sites acting as Service Providers, use the tool to produce a metadata file containing information about profiles supported by the Identity Provider. This XML output that the export tool generates describes the Identity Provider. Sites acting as Service Providers can import this metadata file to establish a relationship with the Identity Provider.

• Create an Identity Provider metadata file based on an existing Service Provider

  A SiteMinder Identity Provider's generates a metadata file based on an existing Service Provider object defined in the Identity Provider's policy store. The use of the Service Provider object reduces the amount of required data that a user must enter because many of the settings for the Identity Provider metadata file can be derived from the existing Service Provider. Also, the default names of the servlets provided by Siteminder are used.

  Use of the export tool in the way assumes that the Identity Provider's existing relationship with a Service Provider will be similar to the relationship being established, and that the URLs of the servlets for SSO and SLO services are the Siteminder default servlet names prepended with the IP address and port of the Federation Web Services application, that is,

  • http://idp_server:port/affwebservices/public/saml2sso
  • http://idp_server:port/affwebservices/public/saml2slo
  • idp_server:port

    Identifies the web server and port hosting the Web Agent Option Pack or SPS federation gateway.

• Create a Service Provider metadata file for Use by Identity Providers

  A SiteMinder Service Provider can facilitate federation with sites acting as Identity Providers by producing a metadata file containing information about the profiles it supports. An Identity Provider can import the metadata file to establish a relationship with the Service Provider.

• Create an Service Provider metadata file based on an existing SAML 2.0 Authentication Scheme

  A SiteMinder Service Provider generates a metadata file based on an existing SAML 2.0 Authentication Scheme object already defined in the Service Provider's policy store. The use of the Service Provider object reduces the amount of required data that a user must enter because many of the settings for the SP metadata file can be derived from the existing SAML 2.0 authentication scheme and the default names of the servlets provided by Siteminder are used.

  The use of the export tool in this way assumes that the Service Provider's existing relationship with an Identity Provider will be similar to the relationship being established, and that the URLs of the servlets for SSO and SLO services are the Siteminder default servlet names prepended with the IP address and port of the Federation Web Services application, such as,

  • http://idp_server:port/affwebservices/public/saml2sso
  • http://idp_server:port/affwebservices/public/saml2slo
  • idp_server:port

    Identifies the web server and port hosting the Web Agent Option Pack or SPS federation gateway.

The following figure shows a metadata file generated only from user input.

The following figure shows a metadata file that is generated from a combination of user input and data from an existing Service Provider object.