Setting up the configuration data for a connection can be a complicated affair where much care has to be made in setting the correct values in each parameter. There is, however, a simpler method, namely importing these values to the connection. If you have a file with the settings or know the URI where the settings can be extracted from, simply open the right-click menu of the SAML2.0/WS-Federation connection on the connection list and then select “Upload metadata” from the context menu.
A form like the one shown below will appear.
You can select either the “Upload from URL” or “Upload from file” option to update metadata for the selected connection. In both cases, the configuration settings will be automatically set.
- Upload from file: If you have a metadata file, you can click the 'Browse' button to locate it.
- Upload from URL: User can select this option and fill in the URL to upload the published metadata online or on a local network. The URL value is also cached in the “Cached Metadata URL” field on the Connection page.
Whenever you select an option, the fields that should not be used will be grayed out (read-only). There is also a “Help” icon to describe each option in more detail.
You can also able to select metadata options to choose how strict Identify should be in validating the metadata. Validation options for the metadata include the following:
- Accept untrusted certificates: When this option is enabled, Identify will accepts that metadata includes untrusted certificates. When this option is not enabled, the upload metadata process will fails if untrusted certificates are included.
- Skip signature validation:When this option is enabled, Identify ignores validating the signature. Otherwise, the upload metadata fails if the signature is invalid.
- Import certificate to store:When this option is enabled, you can select an appropriate store to import the certificates to, which will read from metadata to server. Use this option when the certificates, which are included in metadata, have not been imported to the store yet.
- Store location: CurrentUser/LocalMachine
- Store name: TrustedPeople
You can select Store location “CurrentUser” or “LocalMachine” for the Store location.
Note: When LocalMachine is selected, the upload metadata will fail and an “Access denied” error message will be thrown if the current AppPool Identity account does not have enough privileges to import certificates to the LocalMachine store.
After clicking the "Upload" button, another form with a progress bar will be displayed to show that Identify is processing the request (getting metadata/validating).
When the upload is successful, the system will display a message similar to the one illustrated below.
If any error happens during the upload progress, the system will send display details of the error to the user. The user can then either click the “Back” button to go back to the main form and change the settings for the upload, or click the “Cancel” button to close the error form and go back to the Connection List page.
Errors that might occur include the following:
- Unreachable metadata endpoint (Upload from URL)
- Untrusted certificate (if "Accept untrusted certificates" is not enabled)
- Access denied (if the user does not have enough privileges to import certificates to the LocalMachine store).
- Failed signature validation (if signed)
- Metadata file misses elements.
- Invalid metadata file, e.g, invalid metadata format or importing to wrong connection type/subtype.
- EntityID was already used in another connection that has the same type and subtype.