Table of Contents

Metadata Repositories

In PAS you may configure metadata repositories to sandbox a subset of all your uploaded SAML Metadata so that a certain IDP or SP only recognizes metadata contained in that particular repository. This can be useful in cases where you have multiple SAML integrations in the same deployment, and want to limit which SPs can interact with which IDPs, and vice versa.

Metadata repositories can be configured in the configuration manager, and then added to the configuration of your desired IDP or SP. If no repository is specified, the main repository will be used. The main repository contains all metadata uploaded to the PAS deployment.

Configuration

The easiest way to configure which metadata repository to use is in the configuration UI of a SAML IDP or an SPBroker. Below is a reference on how to configure it directly in advanced mode:

SAML IDP

The way to configure directly in Advanced it is as follows on a SAML IDP:

{
    "assertionProfiles" : [ {
      "id" : "default",
      "use_if_expr" : "true",
      "additionalAttributes" : [{
              "name": "urn:oid:2.5.4.42",
              "friendlyName": "givenName",
              "itemAttribute": "givenName"
      }],
      "signResponse" : "true",
      "signAssertion" : "true",
      "encryptAssertion" : "false",
      "defaultSPID" : "myapps"
    } ],
    "id" : "my_internal_idp_id",
    "name" : "Saml IDP",
    "keystore" : "5f615cf9-7868-4c73-87e4-f0cceea45ac9",
    "metadataRepositoryId": "someRepository",
    "entityID" : "https://mydomain.com/authentication/saml/my_internal_idp_id",
    "requireSigned" : "false",
    "authenticatorId" : "my-authenticator-alias",
    "postSSOURL" : "https://mydomain.com/authentication/saml/my_internal_idp_id/login",
    "redirectSSOURL" : "https://mydomain.com/authentication/saml/my_internal_idp_id/login",
    "postSLOURL" : "https://mydomain.com/authentication/saml/my_internal_idp_id/logout",
    "redirectSLOURL" : "https://mydomain.com/authentication/saml/my_internal_idp_id/logout",
    "strictValidation" : "false",
    "allowSSO" : "true"
}

SAML SP

The way to configure directly in Advanced it is as follows on a SAML SP:

{
    "id" : "spbroker",
    "name" : "SAML Service provider",
    "keystoreSign" : "af8fedd2-7234-46bf-a254-b2568dfd3dc1",
    "keystoreEncrypt" : "af8fedd2-7234-46bf-a254-b2568dfd3dc1",
    "entityID" : "https://localhost:8443/samlsp/spbroker",
    "baseURL" : "https://localhost:8443",
    "allowIncomingLogoutRequests": "true",
    "wantsAuthnRequestsSigned" : "true",
    "metadataRepositoryId": "someRepository",
    "sloUrls" : [ "https://localhost:8443/authentication/samlsp/spbroker/slo" ],
    "assertionConsumerServiceUrls" : [ "https://localhost:8443/authentication/samlsp/spbroker/acs" ]
}

And in the case of using it for a SAML SP it also needs to be configured on the AssertionConsumer as follows:

  {
    "name" : "AssertionConsumer",
    "config" : {
        "clock_skew_minutes":"0"
        "metadataRepositoryId":"myRepository"
    }
  }
Authentication Federation SAML 2