Our college purchased a service from a 3rd party to provide access to our students to their CAD video training portal. A subdomain was customized for this purpose.

I was asked to work with the vendor to implement a SAML SSO. So I sent the vendor our IdP's SAML metadata and expected to receive the same from the vendor. They took the SAML metatadat file and configured their side and they asked for a test account to do testing. At this point I still did not do anything on my end. I was waiting on them to send me their SAML metadata.

They tested their setup and they were able to hit our login screen and the test user does get authenticated and then once the test user gets a session cookie it never redirect to their endpoint (see screenshot)
Click image for larger version. 

Name:	nam.png 
Views:	15 
Size:	34.3 KB 
ID:	5997

There is no redirect because I have not done anything on my end yet. When I asked the vendor to send me their SAML metadata, I was told the following:
"We do not provide a meta data file as we are a consumer (only) of your SAML2 endpoint not the other way around NOR are we doing mutual authentication. All that you need to do is setup your SP either using our ADFS script or doing the equivalent in your SSO environment. Pure clients (only) dont provide a meta-data file as a consumer in SAML2 or any other environment, they consume your meta-data file as the provider." and suggested this url which reference the documentation to setup NetIQ manually without a metadata file: (

Reading through the documentation I came across this statement "The identity provider uses the incoming metadata to determine how to respond." Since I have not received any metadata from the vendor I did not set up a new SP in our environment yet.

Can I setup a vendor without a SAML metadata and trust certificate to do a redirect as he is suggesting. If anyone has any inputs it wold be very much appreciated.