The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.

InlineMetadataProvider

The InlineMetadataProvider allows the static specification of SAML2 Metadata inside the metadata provider.

Schema Names and location

The <MetadataProvider> element and the type InlineMetadataProvider are defined by the urn:mace:shibboleth:2.0:metadata schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-metadata.xsd.

The SAML Metadata is defined by the urn:oasis:names:tc:SAML:2.0:metadata schema which can be located at http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd.

Attributes

Any of the Common Attributes may be specified.

Common Attributes

The following attributes are required on all metadata provider types:

NameTypeDefaultDescription
idStringrequiredIdentifier for logging, identification for command line reload, etc.
xsi:typeStringrequiredSpecifies the exact type of provider to use (from those listed above, or a custom extension type).

The following attributes are common to all metadata provider types except the ChainingMetadataProvider type:

NameTypeDefaultDescription

requireValidMetadata

Booleantrue

Whether candidate metadata found by the resolver must be valid in order to be returned (where validity is implementation specific, but in SAML cases generally depends on a validUntil attribute.) If this flag is true, then invalid candidate metadata will not be returned.

failFastInitialization          

BooleantrueWhether to fail initialization of the underlying MetadataResolverService (and possibly the IdP as a whole) if the initialization of a metadata provider fails. When false, the IdP may start, and will continue to attempt to reload valid metadata if configured to do so, but operations that require valid metadata will fail until it does.
sortKeyInteger
Defines the order in which metadata providers are searched (see below), can only be specified on top level <MetadataProvider> elements.
The following are advanced settings supporting a new low-level feature allowing metadata lookup by keys other than the unique entityID and are rarely of use to a deployer.
criterionPredicateRegistryRef 3.3Bean ID
Identifies the a custom CriterionPredicateRegistry bean used in resolving predicates from non-predicate input criteria.
useDefaultPredicateRegistry 3.3BooleantrueFlag which determines whether the default CriterionPredicateRegistry will be used if a custom one is not supplied explicitly.
satisfyAnyPredicates 3.3BooleanfalseFlag which determines whether predicates used in filtering are connected by a logical 'OR' (true) or by logical 'AND' (false).

Child Elements

Any of the following child elements may be specified (in order).

NameCardinalityDescription
<MetadataFilter>0 or moreA metadata filter applied to candidate metadata as it flows through the metadata pipeline
<md:EntityDescriptor>
0 or 1Specifies the metadata for a single SAML entity
<md:EntitiesDescriptor>
0 or 1Specifies the metadata for two or more SAML entities

The <MetadataFilter> child element is common to all metadata providers. The remaining child elements are exclusive to the InlineMetadataProvider type.

Exactly one of the <md:EntityDescriptor> or <md:EntitiesDescriptor> child elements is required. If neither is configured, an error will occur. See the SAML 2.0 Metadata specification for more information about these elements.

Examples

The following example specifies SAML metadata whose top-level element is an <md:EntityDescriptor> element:

Inline EntityDescriptor
<MetadataProvider xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" id="exampleInLineEntity" xsi:type="InlineMetadataProvider" sortKey="1">
	<!-- Details removed -->
	<md:EntityDescriptor ID="entity" entityID="https://app.example.org/sp">
      	<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
			<md:AssertionConsumerService
				Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
				Location="https://sp.example.org/Shibboleth.sso/SAML2/POST"
				index="1" />
        </md:SPSSODescriptor>
	</md:EntityDescriptor>
</MetadataProvider>

The following example specifies SAML metadata whose top-level element is an <md:EntitiesDescriptor> element:

Inline EntitiesDescriptor
<MetadataProvider xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" id="exampleInLineEntities" xsi:type="InlineMetadataProvider">
	<!-- Details removed -->
	<md:EntitiesDescriptor>
		<md:EntityDescriptor ID="uk001502" entityID="https://wiki.example.org/sp">
			<md:SPSSODescriptor
				protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
				<saml:AssertionConsumerService
					Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
					Location="https://sp.example.org/Shibboleth.sso/SAML2/POST"
					index="1" />
			</md:SPSSODescriptor>
		</md:EntityDescriptor>
        <!-- Further EntityDescriptors removed -->
	</md:EntitiesDescriptor>
</MetadataProvider>