Set up SAML

To set up a connection using SAML 2.0, you need to exchange metadata with Signicat. This process, known as trust establishment, allows the two parties to express trust for each other. The metadata also describes the type and format of the SAML 2.0 request and response.

You can choose how to establish trust in the SAML 2.0 configuration in the Signicat Dashboard. You have the option to either self-host or upload the metadata in the Dashboard.

On this page, you'll find instructions to set up SAML 2.0 in the Dashboard. You'll learn how to share or create the metadata and prepare yourself to connect to eIDs through the Signicat eID Hub. You can also watch a video that shows how to set up SAML 2.0 in the Tutorial videos section.

New customers

If you are new to Signicat, learn more in the Get started with Signicat page.

SAML metadata

In SAML2.0, the service provider (SP) and the identity provider (IdP) establish connections by exchanging metadata with each other. The format of the metadata should follow the SAML 2.0 OASIS specification.

Examples of metadata

Below, you can find examples of metadata files configured with the POST or ARTIFACT bindings:

POST binding

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_9ef5602b6f9ed8b75334f563f91322d2"
                     entityID=ENTITY_ID>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        XML_SIGNATURE
    </ds:Signature>
    <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true"
                        protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:KeyName>KEY_NAME</ds:KeyName>
                <ds:X509Data>
                    <ds:X509Certificate>
                        X509_CERTIFICATE
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                     Location="https://*SP_APP_DOMAIN*/saml/acs" index="0"
                                     isDefault="true"/>
    </md:SPSSODescriptor>
    <md:Organization>
        <md:OrganizationName xml:lang="en">ORG_NAME</md:OrganizationName>
        <md:OrganizationDisplayName xml:lang="en">ORG_DISPLAY_NAME</md:OrganizationDisplayName>
        <md:OrganizationURL xml:lang="en">ORG_URL</md:OrganizationURL>
    </md:Organization>
</md:EntityDescriptor>

ARTIFACT binding

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_9ef5602b6f9ed8b75334f563f91322d2"
                     entityID=ENTITY_ID>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        XML_SIGNATURE
    </ds:Signature>
    <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true"
                        protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:KeyName>KEY_NAME</ds:KeyName>
                <ds:X509Data>
                    <ds:X509Certificate>
                        X509_CERTIFICATE
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
                                     Location="https://*SP_APP_DOMAIN*/saml/acs" index="0"
                                     isDefault="true"/>
    </md:SPSSODescriptor>
    <md:Organization>
        <md:OrganizationName xml:lang="en">ORG_NAME</md:OrganizationName>
        <md:OrganizationDisplayName xml:lang="en">ORG_DISPLAY_NAME</md:OrganizationDisplayName>
        <md:OrganizationURL xml:lang="en">ORG_URL</md:OrganizationURL>
    </md:Organization>
</md:EntityDescriptor>

How to exchange metadata

To set up a secure connection over SAML 2.0 with Signicat eID Hub, you have to provide us with a metadata file. You can choose between the following two ways:

• URL configuration (dynamic): You host and maintain the metadata file on your server. You generate the metadata file on your own, make it available at an endpoint and share the URL with us. Signicat fetches the metadata dynamically. When you want to update the metadata with new certificates, you only need to update the metadata on your server side.
• Form configuration (static): You upload or create a metadata in the Signicat Dashboard. You can either generate the file and upload it to the Dashboard or fill in a form in the Dashboard and have Signicat generate the metadata file for you. To update your metadata file with new certificates, you must re-upload the file manually on the Dashboard. The metadata file is stored inside Signicat's infrastructure.

If you don't have a SAML 2.0 metadata file

If you are not able to create a metadata file, you can fill in a form in the Dashboard to provide information about the connection. We use this information to automatically build a metadata file for you.

Add URL configuration

The advantage of opting for a dynamic exchange of metadata (through a URL configuration) is that whenever your certificates change, they are updated automatically. In fact, Signicat fetches the URL you provide periodically to ensure that we always use the latest version of your metadata.

Registering a new metadata URL

To start fetching your metadata file, we need to check that the URL is safe. Before adding a new URL, please contact us by creating a support ticket in the Signicat Dashboard.

To add a metadata using the URL configuration in your account, do the following:

1. In the Signicat Dashboard, navigate to Products > eID Hub > SAML 2.0 and select + Add new.
2. Choose the URL configuration option.
3. Fill in the following fields in the Standard tab:
   * Required fields are marked with an asterisk (*).
4. To configure the Advanced tab, see the Advanced URL configuration fields section below.
5. Select Add to save the configuration.

Get Signicat's metadata

Select the Get Signicat's metadata button to view the Signicat's metadata XML file. Copy the file and store it in your application. Alternatively, point your application to the URL to load the metadata dynamically.

Advanced URL configuration fields

Cache duration

You can control the maximum length of time Signicat caches the metadata retrieved from the URL configuration by setting the cacheDuration in the metadata file, as specified in the OASIS SAML 2.0 documentation.

The default cacheDuration of the metadata is set to 4 hours. This means that, if you update the metadata, it could take up to 4 hours before Signicat uses the new metadata.

The highest value supported is 4 hours and the lowest value supported is 5 minutes. That means that, in case a cacheDuration larger than 4 hours is specified, it will refresh every 4 hours. Likewise, if a duration smaller than 5 minutes is specified, it will refresh every 5 minutes.

On the EntityDescriptor you can add an (optional) attribute cacheDuration:

<attribute name="cacheDuration" type="duration" use="optional"/>

The duration should be formatted as described here.

For example, to set the metadata cacheDuration to 30 minutes, add the cacheDuration="PT30M" attribute to your metadata, as shown:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
cacheDuration="PT30M"
entityID="someEntityId">
...
</md:EntityDescriptor>

Add Form configuration

You can use the Form configuration to:

• Upload your metadata file in the Signicat Dashboard, or
• Generate a metadata file from the information that you enter in a form. Use this if you are not able to create a metadata file.

Once added, the metadata file lives in the Dashboard where you can always modify its configuration.

To add a new metadata file using the Form configuration in your account, do the following:

1. In the Signicat Dashboard, navigate to Products > eID Hub > SAML 2.0 and select + Add new.
2. Choose the Form configuration option.

Now, follow the instructions to either upload or generate a metadata file in the following sections.

Upload a metadata file

To share your metadata file:

1. Upload a valid XML file in the Upload service provider metadata section.
2. Fill in the Name to set a name for your connection.
3. Optional, you may need to further customise your configuration by filling in the Standard and Advanced tabs. For more details about the fields in the form, see the next section.

After uploading your metadata file, select Add to save the changes.

Get Signicat's metadata

Select the Get Signicat's metadata button to view the Signicat's metadata XML file. Copy the file and store it in your application. Alternatively, point your application to the URL to load the metadata dynamically.

Generate a metadata file

To let Signicat generate a metadata file for you, fill in the fields in the Standard and Advanced tabs at the bottom of the screen. These are the fields you can configure:

Standard

* Required fields are marked with an asterisk (*).

Advanced

* Required fields are marked with an asterisk (*).

When the form is complete, select Add to save the changes.

Get Signicat's metadata

Select the Get Signicat's metadata button to view the Signicat's metadata XML file. Copy the file and store it in your application. Alternatively, point your application to the URL to load the metadata dynamically.

Tutorial videos

Set up SAML 2.0 in the Dashboard

This tutorial video shows you how to configure a SAML 2.0 connection in the Signicat Dashboard.

Learn more

Explore the SAML 2.0 documentation to discover request examples and learn about advanced topics.

SAML examples

Take a look at some SAML examples

Requested Attributes

Learn about SAML Requested Attributes