Identity provider (IdP) metadata
When a federated pair uses IdP metadata URL, metadata is monitored. Access monitors IdP metadata present in the system with the metadata at the URL. Metadata monitoring occurs every 24 hours. The fields such as Entity ID, Redirect SSO URL, Post SSO URL, and Signing cert pem are monitored and evaluated for changes.
Use one of the options described in the following table to upload IdP metadata to MobileIron Access. When any changes are detected across any of these fields between metadata present in the system and the metadata at the URL, Access raises an alert with an email to all the administrators. It also displays an alert in the Access portal. The administrator then uses the sync metadata option to update the federated pair with these changes.
Use one of the options described in the following table to upload IdP metadata to MobileIron Access.
| NOTE: | MobileIron Access verifies the validity of the identity provider metadata certificate file and sends email notifications. For more information, see Certificate expiry notifications. |
If the IdP certificate expires, your device end users will not be able to authenticate and access corporate services federated through MobileIron Access admin portal.
|
Option |
Description |
||||||||||||
|
Upload Metadata |
Click Choose File to navigate to the metadata file to add or drag and drop the file. The metadata file automatically populates the data in MobileIron Access. |
||||||||||||
|
Add Metadata |
Enter the following information:
|
||||||||||||
|
Metadata URL |
Enter the metadata URL. For ADFS, enter the metadata URL for the ADFS server in the following format:
If there are changes to the metadata on the IDP at the configured URL, Access sends an email notification to the Access administrator. In Access > Federated Pairs, the following alert message displays for the federated pair: IDP metadata has changed. For the federated pair, click Actions> Sync IDP metadata to update the metadata file in Access. An email notification is sent to the Access administrator after the sync. |
About Microsoft ADFS metadata
For a SAML pair configured with Microsoft ADFS, you can upload the metadata, configure a metadata URL, or add the metadata. Changing the initial configuration of the metadata to a different form depends on how you configured the metadata initially. The following table describes the initially configured form and the forms to which it can be modified.
|
Initial SAML pair configuration using |
Can be modified to |
|---|---|
| Upload metadata |
Metadata URL. However, it cannot be modified to Add Metadata. |
| Metadata URL |
Upload Metadata. The existing URL configuration is overridden by the uploaded metadata, and the URL is no longer tracker. The metadata configuration cannot be modified to Add Metadata. |
| Add Metadata | Cannot be modified to other options. |