A SAML metadata file provides the information of a client, such as its entity ID, credential, and so on. It also contains a of couple of URLs so that the server knows where to send different requests, e.g., log-in requests, attribute query requests, etc. You need to import this metadata to your SAML component so that it knows which client it should talk to.
Another purpose is to establish a trust relationship between the Service Provider (SP) and Identity Provider (IdP). In this case, SAML metadata is used to exchange configuration information between the SP and the IdP, and viceversa. The metadata can be signed and encrypted so that the data is transferred securely. The other side may need the corresponding public key to validate and decrypt it and then can be used to understand and establish the connection with the SP or IdP
To import a SAML IDP metadata file:
- Click User Authentication > SAML.
- Select the IDP Metadata tab.
- Click Import.
- Follow the instructions onscreen to import the IDP metadata file.
Note: With the 5.0.0. release, FortiADC has enhanced its SAML IDP file parsing and SP metadata format. For IDP files, it can accept any XML with or without the default namespace set to 'md'. For SP metadata, the SP metadata no longer uses the default namespace 'md' and has removed the non-standard extension. In addition, metadata is required in SP metadata, signing, and encrypt, which is also a required setting for some IDPs.
This enhancement has modified the SP metadata XML file. So if you have an existing SAML configuration in an earlier version and would like to upgrade to 5.x.x, you MUST upon the upgrade reconfigure your SAMLservice providers and import the new SP metadata XML file.