SPS provides Service Provider (SP) metadata at the following location:
https://<ADDRESS-OF-YOUR-SPS>/sts/saml2/sp-metadata.xmlThis file is accessible also for unauthenticated users since it only contains public information about the SAML2 SP configuration.
NOTE: Many Identity Providers (IdPs) do not consume SP metadata directly, therefore you might need to configure your IdP manually. This guide uses the terms that are defined in the SAML 2.0 standard, which may differ from how the actual configuration parameters are called by your IdP implementation. For example, depending on your IdP implementation, the SP Entity ID may be referred to as Audience or Audience URI.
The entity ID of SPS is an opaque string, which is generated automatically, for example:
This is a technical identifier of your SP, which should be unique in your federation, but is not meant to be visible by users. When needed, you can customize this string using the SPS REST API, see Configuring SPS login methods in the One Identity Safeguard for Privileged Sessions REST API Reference Guide.
Signing and encryption keys
SPS SP has an automatically generated private key and a corresponding self-signed certificate, which are used for the following purposes:
sign the SAML2 authentication request sent to the IdP;
decrypt the assertion in the IdP's response when it is encrypted (encryption is not required);
sign the metadata file, to prove the possession of the private key.
When needed, you can change the private key and the corresponding certificate using the SPS REST API.
Assertion Consumer Service URLs
Assertion Consumer Service (ACS) URL is a parameter in the SAML2 authentication request, to which the IdP should redirect the user back after completing the authentication. To prevent request forging, most IdPs validate that the ACS specified in the authentication request match any of the preconfigured ACS values for the SP.
Since SPS is accessible at multiple addresses, there can be several ACS URLs. The URL is a string made up from three parts:
the fixed string https://
the configured host name or the IP address of SPS with an optional port number. If the port number is specified, it must match the port number used in the URL bar of the browser.
the fixed string sts/saml2/acs/post
All ACS URLs support the HTTP POST binding.
NOTE: When you configure your SP, you must include all host names in the list of ACS URLs where SAML2 login is allowed. If the users attempt to log in to SPS using an alternative host name or IP address in the URL bar, the login will fail. The host name might contain a port number, but in this case, you must enter the port number into the URL bar of the browser too.
Since a managed SPS cluster appears as a single SP entity for IdPs, you must enter all host names (or IP addresses) of all managed SPS hosts into the central configuration. For example, if a host is represented by three different hostnames, such as 10.12.231.241, example.com, or user.example.com:8081, you must enter all three hostnames pertaining to that host to make SAML2 login method available for users. You must also enter the hostnames of the central configuration.