Service provider (SP) metadata

When a federated pair uses SP metadata URL, metadata is monitored. Access monitors SP metadata present in the system with the metadata at the URL. Metadata monitoring occurs every 24 hours. The fields such as Entity ID, ACS URL, and Signing cert pem are monitored and evaluated for changes.

Use one of the options described in the following table to upload SP metadata to MobileIron Access. When any changes are detected across any of these fields between metadata present in the system and the metadata at the URL, Access raises an alert with an email to all the administrators. It also displays an alert in the Access portal. The administrator then uses the sync metadata option to update the federated pair with these changes.

NOTE: MobileIron Access verifies the validity of the service provider metadata certificate file and sends email notifications. For more information, see Certificate expiry notifications.

If the SP certificate expires, your device end users will not be able to authenticate and access corporate services federated through MobileIron Access admin portal.

The following table describes the options for uploading service provider (SP) metadata.

Table 1. Options for uploading SP metadata

Option

Description

Upload Metadata

Click Choose File to navigate to the metadata file to add or drag and drop the file.

The metadata file automatically populates the data MobileIron Access.

Add Metadata

 

Enter the following information:

Entity ID
Assertion Consumer Service URL

Click Add New to add multiple Assertion Consumer Service (ACS) URLs. The option to add multiple ACS URLs is available for Custom SAML SP and Custom WS-Fed SP only. For more information about multiple ACS URLs, see Assertion Consumer Service (ACS) URLs.

Select Auth requests signed to enter a Base64 Encoded Cert.

NOTE: Use the Add Metadata option to add metadata for G Suite. For more information, see Metadata for G Suite.

Metadata URL

Enter the metadata URL.

If there are changes to the metadata on the SP at the configured URL, Access sends an email notification to the Access administrator.

In Access > Federated Pairs, the following alert message displays for the federated pair:

SP metadata has changed.

For the federated pair, click Actions > Sync SP metadata to update the metadata file in Access.

An email notification is sent to the Access administrator after the sync.

Assertion Consumer Service (ACS) URLs

Configure Assertion Consumer Service (ACS) URLs if you want to configure multiple destinations for the service provider (SP). For example, you may want your sales and customer support teams to go to separate locations on the service. Based on the intended destination, the SP encodes a different ACS URL in the authentication request. Access directs traffic to the ACS URL in the Authentication Request if it matches the ACS URL configured in Access. If an ACS URL is not provided in the Authentication Request or the ACS URL does not match the ACS URL configured in Access, the traffic goes to the default destination.

The option to add multiple ACS URLs is available for only for Custom SAML SP and Custom WS-Fed SP only.

Metadata for G Suite

G-Suite does not provide a metadata file, therefore, for G Suite, select the Add Metadata option to add the service provider metadata to MobileIron Access. Enter the following:

Entity ID: google.com/a/{yourcompany.com}
Assertion Consumer Service URL: https://www.google.com/a/{yourcompany.com}/acs

For PingIdentity only, select the check box for Auth requests signed. In the Base 64 Encoded Cert text box, paste the Base 64 Encoded Cert from PingIdentity.

See also, the Knowledge Base article at
https://community.mobileiron.com/docs/DOC-4097