How to Use SAML XML Metadata

Written by Cassa Niedringhaus on February 29, 2020

Share This Article

Modern IT admins know the challenge and necessity of securely connecting end users to their SaaS applications — whether they’re productivity suites, customer relationship management platforms, or document managers.

Various tools and approaches can make the process easier, including the use of metadata. Here, we’ll explore how to use SAML XML metadata with various single sign-on (SSO) providers and how to take a more expansive approach to user provisioning.

SAML XML Metadata 

Security Assertion Markup Language (SAML) passes Extensible Markup Language (XML) certificates between identity providers and SaaS app service providers, rather than user credentials. This approach is more efficient and secure because users only need one set of authoritative credentials to access their permitted SaaS apps, and those apps don’t use or store their credentials.

Depending on the SSO provider, admins might be able to leverage pre-configured SSO connectors, rather than populate them manually. If they use a proprietary or less common app, though, they can use SAML XML metadata files to populate SSO connectors and eliminate some, if not all, of the work of filling out requisite fields manually in the identity and service providers. Once they’ve uploaded the XML files, the identity and service providers can exchange SAML assertions, and the admins can enable SSO across their app portfolio. 

AD FS & XML Metadata 

Active Directory® admins have a few routes they can take for SSO, including Active Directory Federation Services (AD FS). Through AD FS, they can access federation metadata to establish connections with SSO apps. Admins can download their AD FS federation metadata from Microsoft® and use the resulting XML file. Azure® Active Directory (AAD) similarly publishes federation metadata.

However, it’s worth noting that AD FS and other Microsoft SSO solutions are not necessarily comprehensive identity and access management (IAM) solutions. So, solutions like AD FS or AAD can extend Active Directory credentials to web applications, but they struggle with other resources like Mac® machines, Linux® systems and Linux servers hosted in AWS®, and RADIUS-based networks.

What this means is that using AD FS on top of AD would likely not address all modern IAM needs, and the setup would require additional add-on solutions to be comprehensive. Each add-on represents added costs per user and additional management time from admins.

Cloud Directory & XML Metadata

Another option exists: JumpCloud® Directory-as-a-Service® is natively designed to federate user credentials to web applications, and admins have various options through JumpCloud to  establish SSO for users. JumpCloud has a catalog of hundreds of pre-configured connectors for popular business SaaS apps, like Salesforce®, Slack®, and AWS. 

Admins can also use JumpCloud’s web-based Admin Console or PowerShell module to upload XML metadata files and automatically populate required attributes for applications that don’t already have a pre-configured connector.
The directory service is platform- and provider-agnostic, too, so admins can federate core credentials not only to SaaS apps but also to all three major operating systems (Windows®, Mac, Linux), networks, and servers. That way, users have one set of authoritative credentials to access virtually all their resources. Learn more about leveraging SSO from a comprehensive identity provider in the cloud.

Cassa Niedringhaus

Cassa is a product marketing specialist at JumpCloud with a degree in Magazine Writing from the University of Missouri. When she’s not at work, she likes to hike, ski and read.

Continue Learning with our Newsletter