How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I update metadata for an IdP or SP in AM (All versions) using ssoadm?

Last updated May 10, 2022

The purpose of this article is to provide information on updating metadata for an IdP or SP in AM using ssoadm. Using ssoadm allows you to automate the entire entity provider update process, including adding attribute mapping, if required.


2 readers recommend this article

Updating metadata

Standard metadata is the information necessary to transmit an agreement between Identity and Service providers on how they want to set up the federation (through NameID) and where to reach the various services. As such, you should only change this for remote entities if the change has been requested by the remote entity itself. Similarly, if you make changes to the standard metadata for the hosted entity, you must communicate these changes to all the remote entities. You can make any changes required to the extended metadata as this is not part of the standard and is not shared.

You can update metadata for an IdP or SP using ssoadm as follows:

  1. Back up the entity data in case you need to revert your changes. You can do this by exporting the IdP's or SP's standard and extended metadata files using the following ssoadm command: $ ./ssoadm export-entity -u [adminID] -f [passwordfile] -e [realmname] -y [entityID] -c saml2 -m [metadataXMLfile] -x [extendedXMLfile]replacing [adminID], [passwordfile], [realmname], [entityID], [metadataXMLfile] and [extendedXMLfile] with appropriate values. You will see the following response if this was successful: Entity descriptor was exported to file, [metadataXMLfile]. Entity configuration was exported to file, [extendedXMLfile].
  2. Update your metadata files as necessary and include any additional details needed. If you want to map attributes, you can add attribute mapping to the extended metadata file using the following format: <Attribute name="attributeMap">     <Value>EmailAddress=mail</Value>      <Value>username=uid</Value> </Attribute>where the first attribute listed (EmailAddress and username in this example) are the attributes used by the entity provider you are updating.
Note

If you have only changed the extended metadata file, you can include the -x option in the following delete-entity command to only delete the extended metadata rather than the entire entity provider. If you do this, you only need to import the extended metadata in the subsequent step.

  1. Delete the IdP or SP as follows, depending on which metadata files you updated:
    • extended metadata file only - you can use the following ssoadm command: $ ./ssoadm delete-entity -u [adminID] -f [passwordfile] -e [realmname] -y [entityID] -c saml2 -xreplacing [adminID], [passwordfile], [realmname] and [entityID] with appropriate values. You will see the following response if this was successful: Configuration was deleted for entity, [entityID].
    • standard metadata file only or both - you can use the following ssoadm command: $ ./ssoadm delete-entity -u [adminID] -f [passwordfile] -e [realmname] -y [entityID] -c saml2replacing [adminID], [passwordfile], [realmname] and [entityID] with appropriate values. You will see the following response if this was successful: Descriptor was deleted for entity, [entityID].
  2. Import the metadata file(s) to re-create or update the entity provider in AM: $ ./ssoadm import-entity -u [adminID] -f [passwordfile] -e [realmname] -t [entityCOT] -c saml2 -m [metadataXMLfile] -x [extendedXMLfile]replacing [adminID], [passwordfile], [realmname], [entityCOT], [metadataXMLfile] and [extendedXMLfile] with appropriate values. You will see the following response if this was successful: Import file, [metadataXMLfile]. Import file, [extendedXMLfile].
Note

You could script these changes to fully automate updating your entity providers. See How do I make batch changes using ssoadm in AM (All versions)? for further information on scripting ssoadm commands.

See Also

How do I export and import SAML2 metadata in AM (All versions)?

How do I change the metaAlias for an existing IdP or SP in AM (All versions)?

How do I change the hostname for a remote IdP or SP entity in AM (All versions)?

How do I create a hosted IdP or SP in AM (All versions) using ssoadm?

SAML Federation in AM

SAML v2.0 Guide

ssoadm

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.