Managing Metadata - Novell ACCESS MANAGER 3.1 SP1 - IDENTITY SERVER Manual

5.4.4 Managing Metadata

The Liberty, SAML 1.1, and SAML 2.0 protocols contain pages for viewing and reimporting the
metadata of the trusted providers. Only the SAML 1.1 protocol allows you to edit the metadata.
"Viewing and Reimporting a Trusted Provider's Metadata" on page 156
"Editing a SAML 1.1 Identity Provider's Metadata" on page 156
"Editing a SAML 1.1 Service Provider's Metadata" on page 158
Viewing and Reimporting a Trusted Provider's Metadata
You might need to reimport a trusted provider's metadata if you learn that it has changed. The
metadata changes when you change the provider to use HTTPS rather than HTTP and when you
change the certificate that it is using for SSL. The steps for reimporting the metadata are similar for
Liberty and SAML protocols.
1 In the Administration Console, click Devices > Identity Servers > Edit > [Liberty, SAML 1.1,
or SAML2].
2 Click the trusted provider, then click the Metadata tab.
This page displays the current metadata the trusted provider is using.
3 To reimport the metadata, click Reimport.
Follow the prompts to import the metadata.
4 Specify the new metadata information as described in
Provider," on page
5 Confirm metadata certificates, then click Finish.
Editing a SAML 1.1 Identity Provider's Metadata
Access Manager allows you to obtain metadata for SAML 1.1 providers. However, metadata for
SAML 1.1 might not be available for some trusted providers. Therefore, you can enter metadata
manually. The page for this is available if you clicked the Manual Entry option when you
trusted provider.
IMPORTANT: The SAML 2.0 and Liberty 1.2 protocols define a logout mechanism whereby the
service provider sends a logout command to the trusted identity provider when a user logs out at a
service provider. SAML 1.1 does not provide such a mechanism. For this reason, when a logout
occurs at the SAML 1.1 service provider, no logout occurs at the trusted identity provider. A valid
session is still running at the identity provider, and no credentials need to be entered. In order to log
out at both providers, the user must navigate to the identity provider that authenticated him to the
SAML 1.1 service provider and log out manually.
For conceptual information about how Access Manager uses SAML, see
"Understanding How Access Manager Uses SAML," on page
1 In the Administration Console, click Devices > Identity Servers > Edit > SAML 1.1 > [Identity
Provider] > Metadata.
You can reimport the metadata (see
2 To reimport the metadata from a URL or text, click Reimport on the View page.
156 Novell Access Manager 3.1 SP1 Identity Server Guide
145.
Step 2) or edit it (see
Section 5.3, "Creating a Trusted
Appendix C,
313.
Step 4).
created the