Skip to main content

Set up SAML

To set up a connection using SAML 2.0, you need to exchange metadata with Signicat. This process, known as trust establishment, allows the two parties to express trust for each other. The metadata also describes the type and format of the SAML 2.0 request and response.

You can choose how to establish trust in the SAML 2.0 configuration in the Signicat Dashboard. You have the option to either self-host or upload the metadata in the Dashboard.

On this page, you'll find instructions to set up SAML 2.0 in the Dashboard. You'll learn how to share or create the metadata and prepare yourself to connect to eIDs through the Signicat eID and Wallet Hub. You can also watch a video that shows how to set up SAML 2.0 in the Tutorial videos section.

New customers

If you are new to Signicat, learn more in the Get started with Signicat page.

SAML metadata

In SAML2.0, the service provider (SP) and the identity provider (IdP) establish connections by exchanging metadata with each other. The format of the metadata should follow the SAML 2.0 OASIS specification.

Examples of metadata

Below, you can find examples of metadata files configured with the POST or ARTIFACT bindings:

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_9ef5602b6f9ed8b75334f563f91322d2"
                     entityID=ENTITY_ID>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        XML_SIGNATURE
    </ds:Signature>
    <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true"
                        protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:KeyName>KEY_NAME</ds:KeyName>
                <ds:X509Data>
                    <ds:X509Certificate>
                        X509_CERTIFICATE
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                     Location="https://*SP_CLIENT_DOMAIN*/saml/acs" index="0"
                                     isDefault="true"/>
    </md:SPSSODescriptor>
    <md:Organization>
        <md:OrganizationName xml:lang="en">ORG_NAME</md:OrganizationName>
        <md:OrganizationDisplayName xml:lang="en">ORG_DISPLAY_NAME</md:OrganizationDisplayName>
        <md:OrganizationURL xml:lang="en">ORG_URL</md:OrganizationURL>
    </md:Organization>
</md:EntityDescriptor>

How to exchange metadata

To set up a secure connection over SAML 2.0 with Signicat eID and Wallet Hub, you have to provide us with a metadata file. You can choose between the following two ways:

  • URL configuration (dynamic): You host and maintain the metadata file on your server. You generate the metadata file on your own, make it available at an endpoint and share the URL with us. Signicat fetches the metadata dynamically. When you want to update the metadata with new certificates, you only need to update the metadata on your server side.
  • Form configuration (static): You upload or create a metadata in the Signicat Dashboard. You can either generate the file and upload it to the Dashboard or fill in a form in the Dashboard and have Signicat generate the metadata file for you. To update your metadata file with new certificates, you must re-upload the file manually on the Dashboard. The metadata file is stored inside Signicat's infrastructure.
If you don't have a SAML 2.0 metadata file

If you are not able to create a metadata file, you can fill in a form in the Dashboard to provide information about the connection. We use this information to automatically build a metadata file for you.

Add URL configuration

The advantage with a URL configuration is that metadata exchange is dynamic. This means that your metadata and certificates are always up to date and are automatically updated whenever they change. This is because Signicat fetches the URL you provide periodically to ensure that we always use the latest version of your metadata.

To establish a SAML connection with a URL configuration for your metadata, do the following:

  1. In the Signicat Dashboard, navigate to Products > eID and Wallet Hub > SAML 2.0 and select + Add new.
  2. Choose the URL configuration.
  3. Fill in the following fields in the Standard tab:
    Metadata URL verification

    If your Metadata URL appears unsafe, Signicat Support needs to verify the source. If your connection requires additional verification, click the creating a support ticket link in the notice banner to request verification and save your changes.

    Note that your connection will remain in a Pending state, until Signicat Support has verified your domain.

  4. To configure the Advanced tab, see the Advanced URL configuration fields section below.
  5. Select Add to save the configuration.
Get Signicat's metadata

To view Signicat's metadata (XML file), select the Get Signicat's metadata button. Then, you can copy the file and store it in your application. Alternatively, you may configure your application to query the URL and load the metadata dynamically.

Connection status

After saving your SAML 2.0 connection with URL configuration, you can track its status on the SAML 2.0 overview page. You may encounter the following statuses:

  • Active: The domain is trusted, and the metadata was successfully downloaded and parsed. Your SAML connection is fully operational.
  • Inactive: The connection has been manually deactivated. You can re-activate it at any time.
  • Invalid: The domain is trusted, but the system could not download or parse the metadata file correctly. This often happens due to a broken URL, a temporary network issue, or a corrupted XML file.
    Refresh the metadata

    To check whether your metadata file is valid, open your connection details and click Refresh metadata to manually retry fetching the file. If the issue persists, contact us by creating a support ticket in the Signicat Dashboard.

  • Pending: Your connection is saved, but the root domain has not been verified yet. The system will not attempt to fetch metadata until Signicat Support approves your ticket.

Advanced URL configuration fields

Cache duration

You can control the maximum length of time Signicat caches the metadata retrieved from the URL configuration by setting the cacheDuration in the metadata file, as specified in the OASIS SAML 2.0 documentation.

The default cacheDuration of the metadata is set to 4 hours. This means that, if you update the metadata, it could take up to 4 hours before Signicat uses the new metadata.

The highest value supported is 4 hours and the lowest value supported is 5 minutes. That means that, in case a cacheDuration larger than 4 hours is specified, it will refresh every 4 hours. Likewise, if a duration smaller than 5 minutes is specified, it will refresh every 5 minutes.

On the EntityDescriptor you can add an (optional) attribute cacheDuration:

<attribute name="cacheDuration" type="duration" use="optional"/>

The duration should be formatted as described here.

For example, to set the metadata cacheDuration to 30 minutes, add the cacheDuration="PT30M" attribute to your metadata, as shown:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
cacheDuration="PT30M"
entityID="someEntityId">
...
</md:EntityDescriptor>

Add Form configuration

Form configuration is an alternative way to create a SAML connection when you prefer to:

  • Upload your metadata file in the Signicat Dashboard, or
  • Generate a metadata file by providing information in a web form.
    Generate a metadata

    We recommend you generate a metadata with the web form when you are not able to create a metadata file in your application.

Once you have added your metadata, the file is stored safely in the Signicat Dashboard. Remember that you can always modify its configuration.

How to add a metadata file

To create a new SAML 2.0 connection with Form configuration for your metadata, do the following:

  1. In the Signicat Dashboard, navigate to Products > eID and Wallet Hub > SAML 2.0 and select + Add new.
  2. Choose the Form configuration option.

Now, follow the instructions to either upload or generate the metadata file in the following sections.

Upload a metadata file

To share your metadata file:

  1. Upload a valid XML file in the Upload service provider metadata section.
  2. Fill in the Name with the name for your connection.
  3. Optional, you may need to further customise your configuration by filling in the Standard and Advanced tabs. For more details about the fields in the form, see the next section.

Once you have uploaded your metadata and configured your connection, select Add to save the changes.

Get Signicat's metadata

To view Signicat's metadata (XML file), select the Get Signicat's metadata button. Then, you can copy the file and store it in your application. Alternatively, you may configure your application to query the URL and load the metadata dynamically.

Generate a metadata file

To let Signicat generate a metadata file for you, fill in the fields in the Standard and Advanced tabs. These are the fields you can configure:

Standard

* Required fields are marked with an asterisk (*).

Advanced configuration

* Required fields are marked with an asterisk (*).

Once you have completed your configuration, select Add to save the changes.

Get Signicat's metadata

To view Signicat's metadata (XML file), select the Get Signicat's metadata button. Then, you can copy the file and store it in your application. Alternatively, you may configure your application to query the URL and load the metadata dynamically.

Tutorial video

This video shows you how to configure a SAML 2.0 connection in the Signicat Dashboard.

Learn more

Explore the SAML 2.0 documentation to discover request examples and learn about advanced topics.

SAML examples
Take a look at some SAML examples
Requested Attributes
Learn about SAML Requested Attributes
On this page