Downloading SAML IDP metadata
This article explains how to download SAML IDP metadata using either the administrator UI or API call in Cloud Identity Plane.
Download CIP SAML metadata
CIP SAML metadata information has to be provided to SAML-enabled Identity Providers for registering CIP as Service Provider.
CIP metadata can be downloaded from the CIP System in two different ways:
-
Via Administrative UI
-
Via API call
GET https://<cloudentity-federation-host>/federation/metadata/<registered-idp-hash>
Note
CIP SP metadata is available for download only after you have completed the external Identity Provider registration process within CIP.
Sample metadata
Below you can find a sample of how a SAML metadata file can look like.
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_la1yllgdzemh9ggyk1ipymrs1ljkummvwvcuwxw" entityID="urn:mace:saml:3b4ts14l0jveaad65c5a" validUntil="2037-05-23T04:56:21.422Z">
<md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512" />
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384" />
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224" />
<alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512" />
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384" />
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1" />
</md:Extensions>
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
<md:Extensions xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init">
<init:RequestInitiator Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="http://federation.cloudentity.com/federation/callback?client_name=3b4ts14l0jveaad65c5a" />
</md:Extensions>
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>REPLACE_CE_IDP_X509_SIGNING_CERT</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>REPLACE_CE_IDP_X509_ENCRYPTION_CERT</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://federation.cloudentity.com/federation/callback?client_name=3b4ts14l0jveaad65c5a" index="0" />
</md:SPSSODescriptor>
</md:EntityDescriptor>
SAML Metadata terms
| Name | Description | Sample value |
|---|---|---|
| EntityID | Unique name representing the federation agreement | entityID="urn:mace:saml:3b4ts14l0jveaad65c5a" |
| Assertion Consumer URL/ACS/Binding URL | SAML assertion listening endpoint. This value can be found within the Location block of AssertionConsumerService |
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://federation.cloudentity.com/federation/callback?client_name=3b4ts14l0jveaad65c5a" index="0"/> |