How to connect SP to IdP on .local domain?

Question

I'm trying to configure SimpleSAMLphp with a FederationMetadata.xml file generated by an AD FS 2.0 server (some of which you can see below - I have replaced the middle portion of the domain with the word "domain").

Since our web application is not on their network, it can't see the machines on the .local domain. I don't know much about ADFS and SAML but I thought that the IdP endpoints had to be accessible by the SP. However the technical contact for the IdP keeps saying that all we need is this file and that it doesn't matter that the SP is external to the network.

Is there something I'm missing here? Can the IdP and the SP communicate using this metadata?

<EntityDescriptor ID="**ID**" entityID="http://adfs2.domain.local/adfs/services/trust" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
        <ds:Reference URI="**URI**">
            <ds:Transforms>
                <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
            <ds:DigestValue>**digest**</ds:DigestValue>
        </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>**signature**</ds:SignatureValue>
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <X509Data>
            <X509Certificate>**cert**</X509Certificate>
        </X509Data>
    </KeyInfo>
</ds:Signature>
<RoleDescriptor xsi:type="fed:ApplicationServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/ws-sx/ws-trust/200512 http://schemas.xmlsoap.org/ws/2005/02/trust http://docs.oasis-open.org/wsfed/federation/200706" ServiceDisplayName="adfs2.domain.local" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706">
    <KeyDescriptor use="encryption">
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <X509Data>
                <X509Certificate>**cert**</X509Certificate>
            </X509Data>
        </KeyInfo>
    </KeyDescriptor>
    <fed:ClaimTypesRequested>
        <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
            <auth:DisplayName>E-Mail Address</auth:DisplayName>
            <auth:Description>The e-mail address of the user</auth:Description>
        </auth:ClaimType>
        <auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" Optional="true" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
            <auth:DisplayName>Given Name</auth:DisplayName>
            <auth:Description>The given name of the user</auth:Description>
        </auth:ClaimType>

        ...

    </fed:ClaimTypesRequested>
    <fed:TargetScopes>
        <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
            <Address>https://adfs2.domain.local/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256</Address>
        </EndpointReference>
        <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
            <Address>https://adfs2.domain.local/adfs/services/trust/2005/issuedtokenmixedsymmetricbasic256</Address>
        </EndpointReference>
        <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
            <Address>https://adfs2.domain.local/adfs/services/trust/13/issuedtokenmixedasymmetricbasic256</Address>
        </EndpointReference>
        <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
            <Address>https://adfs2.domain.local/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256</Address>
        </EndpointReference>
        <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
            <Address>https://adfs2.domain.local/adfs/ls/</Address>
        </EndpointReference>
        <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
            <Address>http://adfs2.domain.local/adfs/services/trust</Address>
        </EndpointReference>
    </fed:TargetScopes>
    <fed:ApplicationServiceEndpoint>
        <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
            <Address>https://adfs2.domain.local/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256</Address>
        </EndpointReference>
    </fed:ApplicationServiceEndpoint>
    <fed:PassiveRequestorEndpoint>
        <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
            <Address>https://adfs2.domain.local/adfs/ls/</Address>
        </EndpointReference>
    </fed:PassiveRequestorEndpoint>
</RoleDescriptor>
</EntityDescriptor>

Answer 1

Your SP and their IdP do not need to communicate at all. Once you have exchanged metadata, trust is established between your SP and their IdP. SAML has no requirements on how the metadata is exchanged. Some people do it through email, some published it to a webserver, others generate it dynamically on their IdP or SP and some will just provide you with the data values (cert, endpoints, etc) and have you construct the metadata yourself.

What is important is that the user logging in has access to both the SP and IdP. The most common SAML profile is the SP redirecting the user's browser to the IdP and then after login, the IdP causes the browser to POST back to the SP.

There are other profiles to SAML, that are not frequently used, the require SP to IdP communication. In your case the IdP doesn't support that profile.