Metadata describes the server capabilities in a machine readable format for automatic configuration of relying parties. It contains all of the relevant server endpoints, supported profiles and public key material used for validation of signed data. This information is publically accessible to anybody by design and contains no secret information.

Metadata	Endpoint
OAuth2 and OpenID Connect Metadata	`/uas/.well-known/openid-configuration`
JWKS Web Keys	`/uas/oauth2/metadata.jwks`

Metadata Request

The main OAuth2 metadata endpoint contains all of the relevant server endpoints, supported profiles and links to public key material used for validation of signed data.

http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest

GET /uas/.well-known/openid-configuration

The same metadata is also available at the address /uas/oauth2/metadata.json. The address /uas/.well-known/openid-configuration is preferred for interoperability.

Sample metadata request

GET https://sso.example.com/uas/.well-known/openid-configuration

Metadata Response

http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

Parameters

issuer
authorization_endpoint
token_endpoint
userinfo_endpoint
jwks_uri
introspection_endpoint
revocation_endpoint
response_types_supported
grant_types_supported
subject_types_supported
id_token_signing_alg_values_supported
token_endpoint_auth_methods_supported
scopes_supported
- In addition to the scopes specifically mentioned in the metadata, the entityID of any relying party can also be used as a scope when requesting tokens.

Deprecated parameters

tokeninfo_endpoint (deprecated, will be removed in SSO 8) introspection_endpoint provides the same functionality and should be used.

Sample metadata response (SSO 8.2)

HTTP/1.1 200 OK 
Content-Type: application/json

{
  "issuer": "https://sso.example.com/uas",
  "authorization_endpoint": "https://sso.example.com/uas/oauth2/authorization",
  "token_endpoint": "https://sso.example.com/uas/oauth2/token",
  "userinfo_endpoint": "https://sso.example.com/uas/oauth2/userinfo",
  "jwks_uri": "https://sso.example.com/uas/oauth2/metadata.jwks",
  "tokeninfo_endpoint": "https://sso.example.com/uas/oauth2/introspection",
  "introspection_endpoint": "https://sso.example.com/uas/oauth2/introspection",
  "revocation_endpoint": "https://sso.example.com/uas/oauth2/revocation",
  "response_types_supported": [
    "code"
  ],
  "grant_types_supported": [
    "authorization_code",
    "password",
    "refresh_token",
    "urn:ietf:params:oauth:grant-type:saml2-bearer",
    "http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp",
    "http://globalsign.com/iam/sso/oauth2/grant-type/smtp-otp"
  ],
  "subject_types_supported": [
    "public"
  ],
  "request_object_signing_alg_values_supported": [
    "RS256",
    "HS256"
  ],
  "request_object_encryption_alg_values_supported": [
    "RSA-OAEP",
    "RSA-OAEP-256",
    "RSA1_5",
    "A128KW",
    "A256KW"
  ],
  "request_object_encryption_enc_values_supported": [
    "A128CBC-HS256",
    "A256CBC-HS512"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256",
    "HS256"
  ],
  "id_token_encryption_alg_values_supported": [
    "RSA-OAEP",
    "RSA-OAEP-256",
    "RSA1_5",
    "A128KW",
    "A256KW"
  ],
  "id_token_encryption_enc_values_supported": [
    "A128CBC-HS256",
    "A256CBC-HS512"
  ],
  "userinfo_signing_alg_values_supported": [
    "RS256",
    "HS256"
  ],
  "userinfo_encryption_alg_values_supported": [
    "RSA-OAEP",
    "RSA-OAEP-256",
    "RSA1_5",
    "A128KW",
    "A256KW"
  ],
  "userinfo_encryption_enc_values_supported": [
    "A128CBC-HS256",
    "A256CBC-HS512"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic",
    "client_secret_jwt",
    "private_key_jwt"
  ],
  "token_endpoint_auth_signing_alg_values_supported": [
    "RS256",
    "HS256"
  ],
  "introspection_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic",
    "client_secret_jwt",
    "private_key_jwt"
  ],
  "introspection_endpoint_auth_signing_alg_values_supported": [
    "RS256",
    "HS256"
  ],
  "revocation_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic",
    "client_secret_jwt",
    "private_key_jwt"
  ],
  "revocation_endpoint_auth_signing_alg_values_supported": [
    "RS256",
    "HS256"
  ],
  "scopes_supported": [
    "openid",
    "userinfo"
  ]
}

JSON Web Key Set Request

The address of the issuer's JSON Web Key Set is discovered from issuer metadata, by reading "jwks_uri" field.

GET /uas/oauth2/metadata.jwks

Sample jwks request

GET https://sso.example.com/uas/oauth2/metadata.jwks

JSON Web Key Set Response

https://tools.ietf.org/html/rfc7517

Parameters

keys

JSON Array with one or more JSON Web Keys

Optional

x5c

The issuer key in a X.509 certificate envelope. Available if compatibility flag MetadataCertificate is enabled in SSO Server.

Sample jwks response

HTTP/1.1 200 OK 
Content-Type: application/jwk-set+json
\{"keys": \[\{"kty": "RSA","use": "sig","n": "AK-iEcWcXv2VVnv...", "e": "AQAB"\}\]\}

Browser not supported