SAML Metadata information

This document consolidates information about how PhenixID Authentication Services provides SAML metadata and how PhenixID Authentication Services consumes metadata from a federated partner.

System requirements

- PhenixID Server v 2.8 or higher installed.

- One or more PAS SAML Authenticators configured (depending on your authentication scenario).

Overview

PhenixID Authentication Services (PAS) can act as different SAML entities (both SAML IDP, SAML SP or SAML SP-Broker).
PAS metadata is provided on different url:s depending on the entity used.

The process of consuming metadata from external entitites is also described below.

Metadata link for PAS Identity Provider (IDP)

Fetch your idp metadata by opening the URL:

https://<pas-server>/saml/authenticate/<saml-authenticator-alias>?getIDPMeta

Note: The link is case sensitive


Metadata link for PAS Service Provider (SP)

Fetch your sp metadata by opening the URL:

https://<pas-server>/saml/authenticate/<saml-application-alias>?getSPMeta

Note: The link is case sensitive


Metadata link for PAS SPBroker

Fetch your SPBroker metadata by opening the URL:

https://<pas-server>/saml/authenticate/<saml-broker-alias>?getMeta

Note: The link is case sensitive

Metadata consumption

After importing metadata into PAS, the update of metadata is done following the rules in the imported metadata:

- Look after cacheDuration and validUntil in metadata for external entitites.


If you want to verify when the metadata was updated, search for |MetaLoader] in server.log.
The information is only shown when PAS logging is set to debug mode.


The metadata update in PAS can be manually triggered by changing an existing metadata in Scenarios, Federation, SAML metadata upload.
Choose the metadata that you want updated and change for example the description.
Save the change and the metadata will be updated in background.