This site requires JavaScript to be enabled
Welcome Guest|
Recent searches

Customer Metadata Requirements

Number of views : 22
Article Number : KB0017671
Published on : 2023-09-06
Last modified : 2023-09-06 15:47:13
Knowledge Base : IT Public Self Help

The requirements for service provider metadata for integrating with the Enterprise Authentication Service are below. The requirements provide a number of critical benefits including greatly reducing the time needed to configure the integration and allows service providers to be the owners of their own contact information.


# Title User Story Importance Notes
1 Metadata has encryption certificate This enables SAML assertions to be encrypted within the SAML response. Must have1 See SP Signing and Back-Channel TLS Keys and Certificates on
2 Metadata has signing certificate This ensures that communicating entities can verify each other's identity programmatically. Must have1 See SP Encryption Key and Certificate on
3 Metadata passes schema validation This ensures metadata interoperability as we process it and enables future extensibility for other metadata-managing services we may employ. Must have

Customer metadata must be schema-valid according to

One way to validate is to use the XMLSecTool available at

4 Metadata is signed Provides additional security around the metadata source. Nice to have See Signature Verification on
5 Contacts and Organization These contacts will be our source of contact information. This is how we will contact service owners regarding their SSO integration with Enterprise Authentication. Must have See Contacts and Organizations on
6 Service Provider is part of a federation that we consume This reduces the overhead of managing metadata. It also guarantees compliance with above requirements. Nice to have See
7 Metadata requests attributes This supports metadata-driven configuration Future enhancement  


Metadata correctness guidelines and examples can be found at



1: Some SAML SPs use the same certificates for signing and encryption. This is not uncommon and allowable in the SAML specification. Of those SPs, some combine both certificates into the same element in their metadata. This is also valid per the specification and does meet the Customer Metadata Requirements. Please refer to Encryption KeyDescriptor Type on for more information.

Thank You! Your feedback has been submitted.