Overview#Quite literally, metadata is what makes SAML work (or work well). Let's look at some important uses of metadata:
An identity provider receives an <samlp:AuthnRequest> element from a service provider via the browser.
How does the identity provider know the service provider is authentic and not some evil service provider trying to phish private information regarding the user?
- The identity provider consults its list of trusted service providers in metadata before issuing an authentication response.
In the previous scenario, how does the identity provider know where to redirect the user with the authentication response? The identity provider looks up a pre-arranged endpoint location of the service provider in metadata.
How does the service provider know that the authentication response came from a trusted identity provider? The service provider validates the signature on the assertion using the public key of the identity provider from metadata.
How does the service provider know where to resolve an artifact from a trusted identity provider? The service provider looks up the pre-arranged endpoint location of the identity provider's artifact resolution service from metadata.
Metadata ensures a secure transaction between an identity provider and a service provider. Before metadata, trust information was encoded into the implementation in a proprietary manner. Now the sharing of trust information is facilitated by standard metadata. SAML 2.0 provides a well-defined, interoperable metadata format that entities can leverage to bootstrap the trust process.