Downloading SAML IDP metadata

Purpose

This article explains how to download SAML IDP metadata using either the administrator UI or API call.

Download Cloudentity SAML metadata

Cloudentity SAML metadata information has to be provided to SAML-enabled Identity Providers for registering Cloudentity as Service Provider.

Cloudentity metadata can be downloaded from the Cloudentity System in two different ways:

  • Via Administrative UI

    image

  • Via API call

    GET https://<cloudentity-federation-host>/federation/metadata/<registered-idp-hash>
    

Note

Cloudentity SP metadata is available for download only after you have completed the external Identity Provider registration process within Cloudentity.

Sample metadata

Below you can find a sample of how a SAML metadata file can look like.

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_la1yllgdzemh9ggyk1ipymrs1ljkummvwvcuwxw" entityID="urn:mace:saml:3b4ts14l0jveaad65c5a" validUntil="2037-05-23T04:56:21.422Z">
   <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
      <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512" />
      <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384" />
      <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
      <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224" />
      <alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
      <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512" />
      <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384" />
      <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
      <alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1" />
   </md:Extensions>
   <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
      <md:Extensions xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init">
         <init:RequestInitiator Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="http://federation.cloudentity.com/federation/callback?client_name=3b4ts14l0jveaad65c5a" />
      </md:Extensions>
      <md:KeyDescriptor use="signing">
         <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
               <ds:X509Certificate>REPLACE_CE_IDP_X509_SIGNING_CERT</ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
      </md:KeyDescriptor>
      <md:KeyDescriptor use="encryption">
         <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
               <ds:X509Certificate>REPLACE_CE_IDP_X509_ENCRYPTION_CERT</ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
      </md:KeyDescriptor>
      <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
      <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
      <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
      <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
      <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://federation.cloudentity.com/federation/callback?client_name=3b4ts14l0jveaad65c5a" index="0" />
   </md:SPSSODescriptor>
</md:EntityDescriptor>

SAML Metadata terms

Name Description Sample value
EntityID Unique name representing the federation agreement entityID="urn:mace:saml:3b4ts14l0jveaad65c5a"
Assertion Consumer URL/ACS/Binding URL SAML assertion listening endpoint. This value can be found within the Location block of AssertionConsumerService <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://federation.cloudentity.com/federation/callback?client_name=3b4ts14l0jveaad65c5a" index="0"/>