We provide an endpoint for showing our SAML Service Provider metadata for each Edlink application that configures SAML:
https://ed.link/api/authentication/saml/00000000-0000-0000-0000-000000000000/metadata
This url will be accessible in the Edlink Dashboard.
The metadata configuration we try to use looks like this:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:assertion="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://ed.link/api/authentication/saml/00000000-0000-0000-0000-000000000000/metadata">
<SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>SOME CERTIFICATE DETAILS GO HERE</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>SOME CERTIFICATE DETAILS GO HERE</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<AssertionConsumerService index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://ed.link/api/authentication/saml/00000000-0000-0000-0000-000000000000"/>
</SPSSODescriptor>
</EntityDescriptor>
However, when a user actually tries to go through the SSO flow, our Service Provider configuration will be generated to match the Identity Provider configuration you provided.
This means that if your provided configuration does not include WantAuthnRequestsSigned="true" as a property on the <SPSSODescriptor>, we will not sign the authentication request.