Both the Relying Party (RP) and IDP/STS (Security Token Service) can publish its Federation information in the standardized federation metadata document as defined here.
This specification defines concrete service roles. The ApplicationServiceType describes the capabilities of the Relying Party whereas the SecurityTokenServiceType describes the capabilities of the IDP/STS.
The following xml snippets are copied from the spec to illustrate the structure:
- Relying Party
- IDP / STS
The Federation metadata document is an easier way to configure the RP in the IDP/STS or to configure the IDP/STS in the RP. The following two sections describe the usage of each case.
Metadata document of IDP/STS
The federation metadata document of the IDP/STS can be used to resolve IDP/STS configuration information at runtime or during deployment time.
Example: The Microsoft tool FedUtil allows to establish the trust in the RP application to an already existing IDP/STS. You configure the URL of the published metadata document and it generates the federation related configuration in the application configuration file
web.config thus you don't have to configure it manually.
Fediz doesn't provide such kind of tool to generate the IDP/STS related configuration in the Fediz configuration file right now.
Metadata document of RP
The federation metadata document of the RP can be used within the IDP/STS to resolve configuration information at runtime. This is pretty useful as it allows to tell the IDP/STS what claims are required by the application. If the application requires additional claims it can be configured on the application side.
Fediz supports publishing the Metadata document on the RP side. This document is built at runtime based on the Fediz configuration.
The syntax of the url is:
The Fediz example applications have got the context
This is an example metadata document: