SP Metadata Endpoint
SecureCodingHub publishes a real SAML 2.0 Service Provider metadata document at a stable URL so that identity providers can be configured through metadata import rather than by typing values by hand.
The endpoint
Fetch the metadata over HTTPS:
GET https://api.limeplate.com/api/sch/auth/sso/metadataThe response is a Content-Type application/samlmetadata+xml document containing a single <EntityDescriptor>. The document is stable — the same EntityID, the same ACS URL, the same NameID format. It is safe to import the URL directly into your IdP and let the IdP refresh it on its normal cadence.
What is in the document
| Element | Value |
|---|---|
| EntityID | The Service Provider Entity ID for SecureCodingHub. This is what your IdP uses to identify the SP. |
| AssertionConsumerService binding | urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST |
| NameIDFormat | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress |
| AuthnRequestsSigned | false |
| WantAssertionsSigned | true |
The IdP-facing endpoint URLs encoded inside the metadata are derived from the deployment's configured backend URL, so the document you fetch in production points at the production callback path. There is no manual templating; the file is generated on every request.
How to use it
In your identity provider's SAML configuration, look for a Metadata URL or Import from URL field. Paste the endpoint URL above and let the IdP fetch the document. The IdP will populate Entity ID, ACS, NameID format, and assertion-signing requirement directly from the document, which is more reliable than typing the values by hand.
Some IdPs only accept uploaded files. In that case, fetch the URL with curl and upload the resulting XML:
curl -o sch-sp-metadata.xml https://api.limeplate.com/api/sch/auth/sso/metadataWhen the document changes
The document is generated from the live SecureCodingHub configuration on every request. The most common reason it would change is a deployment-level update to the backend hostname or the ACS callback path. If your IdP imports the metadata by URL it will pick the change up automatically on its next refresh; if you imported the document as a file, you would need to re-upload it. Subscribe to security@securecodinghub.com for the rare cases where a change of this kind is announced in advance.