Overview
Most SAML-based Identity Providers (IdPs) rotate their signing certificates on a regular schedule. To ensure your organisation’s Single Sign-On (SSO) continues to work without interruptions, itslearning must always have the correct and current IdP metadata, including the public signing certificate.
Whenever possible, itslearning strongly recommends providing a metadata URL rather than manually sending certificate files. A metadata URL allows us to automatically retrieve updates, preventing outages caused by expired or replaced certificates.
What is SAML and what does the certificates do
SAML, or Security Assertion Markup Language, is a system that enables websites to exchange user information securely for Single Sign-On (SSO) authentication. This process involves transmitting authentication details in a specific format between two parties: an identity provider (IdP) and a web application. An IdP is a system that creates, stores, and manages digital identities. The IdP can either directly authenticate the user or can provide authentication services to third-party service providers (apps, websites, or other digital services).
When a user logs into itslearning, they are sent to an identity provider (IdP) to fill in their credentials. If successful, user information is returned to itslearning to authorise the login. This bidirectional exchange of information relies on the SAML protocol. To verify the authenticity of the response or assertion, it is imperative that we possess the correct and valid certificate contained within the IdP metadata file, which we securely maintain for our customers.
What should we do when certificate update is approaching
If you are unsure of whether itslearning already has the URL, your itslearning support representative can raise a ticket to have it checked. If it is not possible to retrieve the metadata over a (public) URL, please share the entire metadata file.
How to retrieve the URL to the SAML IDP metadata
Whenever your IdP supports it, please send us the full federation metadata URL, including any required parameters (such as the appid query parameter for Microsoft Entra ID).
Below, please see how to retrieve the URL to some known systems. For other IDP solutions, please consultant the IDP vendor.
ADFS
You can normally access the metadata with an URL like this: https://<adfs-domain>/FederationMetadata/2007-06/FederationMetadata.xml (<adfs-domain> needs to be replaced with the correct domain). Please confirm that and share the URL with us.
Microsoft Entra ID (former Azure AD)
- Sign in to the Microsoft Entra admin center.
- Navigate to: Identity → Applications → Enterprise applications
- Select the Entra application used for itslearning SSO.
- Open Single sign-on → SAML.
- In the SAML Certificates or Metadata URLs section, copy the entire App Federation Metadata URL
The App Federation Metadata URL typically looks like:
It typically looks like: