Page tree
Skip to end of metadata
Go to start of metadata

This is a DRAFT specification under internal discussion and is not supported by any shipping code. The eventual profile may be similar, the same, or entirely different from this proposal.

SAML Metadata Profile

In comparison to the existing (JSON) format, all the same configuration options are available. See the table at the end of this page for mappings between the JSON claims and the SAML metadata.

An entity advertises support for the OIDC protocol with an SPSSODescriptor that has the following characteristics:

  • MUST include http://openid.net/specs/openid-connect-core-1_0.html in the protocolSupportEnumeration attribute
  • Contains one or more AssertionConsumerService elements that MUST have the following attributes
    • Binding attribute with value of https://tools.ietf.org/html/rfc6749#section-3.1.2
    • Location attribute with a URL of a single redirection endpoint - the detailed specification can be found from the binding URL

When needed, the trusted public keys and client secrets are configured via KeyDescriptors. In addition to the existing public key KeyInfo types that are supported (ds:X509Data and ds:KeyValue), the JSON Web Key sets are supported statically or via reference URI, using JwksData and JwksUri elements (see the table in the end of this page). The JwksData element contains Base64-encoded value of the JSON string containing the set. Client secrets can be configured statically in plaintext or via reference, using ClientSecret and ClientSecretKeyReference elements.

Example Metadata

An example representing an OIDC RP with client secret value in the metadata:

OIDC metadata entry with client secret value
<md:EntityDescriptor
        xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
        xmlns:oidcmd="urn:mace:shibboleth:metadata:oidc:1.0"
        entityID="mockSamlClientId">
    <md:SPSSODescriptor protocolSupportEnumeration="http://openid.net/specs/openid-connect-core-1_0.html">
        <md:Extensions>
            <oidcmd:OAuthRPExtensions>
                <oidcmd:GrantType>authorization_code</oidcmd:GrantType>
                <oidcmd:ResponseType>code</oidcmd:ResponseType>
                <oidcmd:ApplicationType>web</oidcmd:ApplicationType>
                <oidcmd:TokenEndpointAuthMethod>client_secret_basic</oidcmd:TokenEndpointAuthMethod>
                <oidcmd:Scope>openid</oidcmd:Scope>
                <oidcmd:Scope>profile</oidcmd:Scope>
            </oidcmd:OAuthRPExtensions>
        </md:Extensions>
        <md:KeyDescriptor>
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <oidcmd:ClientSecret>mockClientSecretValue</oidcmd:ClientSecret>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:NameIDFormat>public</md:NameIDFormat>
        <md:AssertionConsumerService
                Binding="https://tools.ietf.org/html/rfc6749#section-3.1.2"
                Location="https://example.org/cb"
                index="1"/>
    </md:SPSSODescriptor>
</md:EntityDescriptor>

An example representing an OIDC RP with client secret value reference. The reference key (mockClientSecretKey) is exploited by client secret value resolvers, which are out of scope of this profile.

OIDC metadata entry with client secret key reference
<md:EntityDescriptor
        xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
        xmlns:oidcmd="urn:mace:shibboleth:metadata:oidc:1.0"
        entityID="mockSamlClientId">
    <md:SPSSODescriptor protocolSupportEnumeration="http://openid.net/specs/openid-connect-core-1_0.html">
        <md:Extensions>
            <oidcmd:OAuthRPExtensions>
                <oidcmd:GrantType>authorization_code</oidcmd:GrantType>
                <oidcmd:ResponseType>code</oidcmd:ResponseType>
                <oidcmd:ApplicationType>web</oidcmd:ApplicationType>
                <oidcmd:TokenEndpointAuthMethod>client_secret_post</oidcmd:TokenEndpointAuthMethod>
                <oidcmd:Scope>openid</oidcmd:Scope>
                <oidcmd:Scope>profile</oidcmd:Scope>
            </oidcmd:OAuthRPExtensions>
        </md:Extensions>
        <md:KeyDescriptor>
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <oidcmd:ClientSecretKeyReference>mockClientSecretKey</oidcmd:ClientSecretKeyReference>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:NameIDFormat>pairwise</md:NameIDFormat>
        <md:AssertionConsumerService
                Binding="https://tools.ietf.org/html/rfc6749#section-3.1.2"
                Location="https://example.com/callback"
                index="1"/>
    </md:SPSSODescriptor>
</md:EntityDescriptor>

An example representing an OIDC RP with multiple public keys configured in the metadata. They're all taken into account and transformed into a JSON Web Key set, with ds:KeyName being used as a key identifier (kid).

OIDC metadata entry with multiple public keys
<md:EntityDescriptor
        xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
        xmlns:oidcmd="urn:mace:shibboleth:metadata:oidc:1.0"
        entityID="mockSamlClientId">
    <md:SPSSODescriptor protocolSupportEnumeration="http://openid.net/specs/openid-connect-core-1_0.html">
        <md:Extensions>
            <oidcmd:OAuthRPExtensions>
                <oidcmd:GrantType>authorization_code</oidcmd:GrantType>
                <oidcmd:ResponseType>code</oidcmd:ResponseType>
                <oidcmd:ApplicationType>web</oidcmd:ApplicationType>
                <oidcmd:TokenEndpointAuthMethod>private_key_jwt</oidcmd:TokenEndpointAuthMethod>
                <oidcmd:Scope>openid</oidcmd:Scope>
                <oidcmd:Scope>profile</oidcmd:Scope>
            </oidcmd:OAuthRPExtensions>
        </md:Extensions>
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:KeyName>mockX509RSA</ds:KeyName>
                <ds:X509Data>
                    <ds:X509Certificate>
                        MIIEQDCCAqigAwIBAgIVAIarXvdvyS47KJR7U40FlTufyD8vMA0GCSqGSIb3DQEB
                        CwUAMCAxHjAcBgNVBAMMFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0xOTA2MTcx
                        MTI5MTJaFw0zOTA2MTcxMTI5MTJaMCAxHjAcBgNVBAMMFWxvY2FsaG9zdC5sb2Nh
                        bGRvbWFpbjCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALXysGFnoBFh
                        oasd5uMecp9OTBjvztntPUVmHfm4R3AcItEMEZEN/pETcX/wgKdo4qCBq4PrZITa
                        T8Salgl0XL6qF1Wia3JNA7Hh/OaoQEUsbsHgsjLMKt6MJh8vIaE1o8loL7Ay4WmZ
                        Cr3wc8ZS6CpMsv+qbxkyfl1h7MTydETnQhg/X83bj+BjJSh7QeFU0d0SWK1dN2/D
                        nFoGOfuTfVqeDRIwMxKlR5G//8N202sLaG28NljaHhLn3jHXeiGpCQ+Q2X90dkFb
                        EKb6sQ6SlDUAzm9MwLYjglDyOhXpUqOnvD67nggLb4Gn/4k+g5wtdfr7unOJYcHK
                        w7JGnI8Gd0lJMd6B3SpkhUOWgKv/D6HIBArhqSEmXuTyy8FewyYuo1XkIw/Lu3bB
                        9qoBojM1tygoGlKi7R7e719J+DSkhyGbMyQ59leoN97iGGgqjUWS5mew8zSNviyz
                        4uGqvxmLWU9UTH1YhlARsBF1bMiMnwLz7dF74AaAkC4pN3BYzDMyHQIDAQABo3Ew
                        bzAdBgNVHQ4EFgQUwKUd9D1Qymu2oBEVTscrAhP+sIUwTgYDVR0RBEcwRYIVbG9j
                        YWxob3N0LmxvY2FsZG9tYWluhixodHRwczovL2xvY2FsaG9zdC5sb2NhbGRvbWFp
                        bi9pZHAvc2hpYmJvbGV0aDANBgkqhkiG9w0BAQsFAAOCAYEAEYqh54a+j5OuR1UB
                        /AT9k2xXVwHiqQXAC/2un8O5BWAOeOq9+0gLJO5yaJp5c9GjPXRJmnDfGP9HFF6R
                        CjngtRCm1gV/fpj97IRQS5oroaeTWPQ9ZD5+ogs5DNt6UZeJ2GqpfA5mOytNg3cM
                        OP1B5QnA1apOaG4FHTegJR7WOIXkkAjEJUy6R+5Q6At7DdK/SRrP5onVPFv2HgGF
                        E9v9iX/uQepDizS5F2oi6LZCl1/b38gxA8BFL7VZu53JQguaA7SrnP+dBOErT/yh
                        Qcx3e9wE2ms8H1qISIdl3e7gvLi5jEyDWC9Agde6EjjvVVJAF7jR0puQ39mBfoxP
                        moVdHJQmCt3V7Ew9tYZUpG3rjp4YNXOiM+QhtwhHWT94q9uJKUQ6JvbxgLNDs5KM
                        3PENx2C60TPFne9nRRIMVDavU4wwY7GdCgeo8PiZ5zxI0ZCkxh38ODePtKQrxJ7i
                        E0J1BE2LIxa1T7KY0XKpsH0iI2dNfZfNpNp4v/HiDb4svYgq</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:KeyName>mockX509EC</ds:KeyName>
                <ds:X509Data>
                    <ds:X509Certificate>
                        MIIBKDCBzgIJAOYlspXlaqguMAoGCCqGSM49BAMCMBwxCzAJBgNVBAYTAkZJMQ0w
                        CwYDVQQDDAR0ZXN0MB4XDTE5MTEwMTA4Mjg0OVoXDTIwMTAzMTA4Mjg0OVowHDEL
                        MAkGA1UEBhMCRkkxDTALBgNVBAMMBHRlc3QwWTATBgcqhkjOPQIBBggqhkjOPQMB
                        BwNCAARCUOlFMtRj3MIbdCzXmoGz4giDwjzPoX4AxMehhlXmPOodQhLDdvDqx3KE
                        hqadzIIsKHRQPDycscpHWpPbaQ2VMAoGCCqGSM49BAMCA0kAMEYCIQCVykSuUjlX
                        j4lxI6YqgYVuuhL2rG4hIrXw/pCey7eF2gIhAOSSaS025lQWy09W4NlnO28OkHoI
                        +Hbap7+DQlhbbr2d</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:KeyName>mockRSA</ds:KeyName>
                <ds:KeyValue>
                    <ds:RSAKeyValue>
                        <ds:Modulus>
                            AMP1p7GwPH64UPvBKD4DK0I6SDY7dtFPzL7L5qAIEJwIBBeDmLfVY/f9mLzDuDb19XzQxc6GEcjj
                            K8qRe7JAD3CE1IXXD0hKSOJ7H+chWS84iv7UNukbHHBO1oaRgfHh7vbX7HnpYMoqKK75rfiQqD9e
                            XOa2FLiH1QvnhLGKJcN+OKujetTgAhxE7ski9Gtfhhbt1qCEl7XtaUCLLexyrwWxx+NRxFgMU+nt
                            IZQ+T8ii+JQSWnRh14PGc+K9o1dp+vjse62hFprVQhhcbAKAkWpbup77NvvuTZ2+AtUhOuNHrH2I
                            X3jHeSWH7EzTGkPLGS6bFnYJQBqWv0POytfSyMM=</ds:Modulus>
                        <ds:Exponent>AQAB</ds:Exponent>
                    </ds:RSAKeyValue>
                </ds:KeyValue>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:KeyName>mockJwkId</ds:KeyName>
                <oidcmd:JwksData>
                    ewogICJrdHkiOiAiUlNBIiwKICAiZSI6ICJBUUFCIiwKICAia2lkIjogIm1vY2siLAogICJhbGci
                    OiAiUlMyNTYiLAogICJuIjogInBKcHRScnpyRlhEUnBaWkdpRmc1eW9KeVRPMlphUENSNEcwbjEx
                    aUVSclBTdlVYX202Qmdvak5qVEZISk1pa19pbGhtVzY0Q3JLdGlMdklRTFF6VWV5RXdDZHdYZVB3
                    UVpNeEV4VDJPV2thQy1DV0ZJNHR4X2VFWGRkUGtja1NMRERhMEVQd3dzWktQUFhoRTNWNTBfZ3pW
                    VDJZQVRvRE9fMmoyeGpWcHFzU0dFc0xpYjZqLW52dFpVVV9CMHNHeUppR1ZzMkpUTmhCTVNrT2tR
                    Zks2NkNCcW1sbzBuUE5NYVIxbWl2dG5JUG1aNnJKVHcwUDVZZ0dFS1hmZjBsa25Ib25ZVmRsVktw
                    c0Q4VW5hY0JzdFlyeUhsM0NQR2Uyc3RmR2ExZ3N6NEdIVGVfRnlWVk04UlNoQ2dYVVo3MTdoenpf
                    ekdQaVhDQkw0ZktEek5ZUXpIUSIKfQo=</oidcmd:JwksData>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:NameIDFormat>public</md:NameIDFormat>
        <md:AssertionConsumerService
                Binding="https://tools.ietf.org/html/rfc6749#section-3.1.2"
                Location="https://example.org/cb"
                index="1"/>
    </md:SPSSODescriptor>
</md:EntityDescriptor>

Mappings between the JSON claims and SAML metadata elements

The definitions for the JSON claims can be found from the following specifications:

XML namespaces:

  • default (no prefix): urn:oasis:names:tc:SAML:2.0:metadata
  • mduiurn:oasis:names:tc:SAML:metadata:ui
  • dshttp://www.w3.org/2000/09/xmldsig#
  • oidcmdurn:mace:shibboleth:metadata:oidc:1.0


JSON claimSAML metadata locationNotes
client_idEntityDescriptor/@entityID
client_secret

EntityDescriptor/SPSSODescriptor/ds:KeyDescriptor/ds:KeyInfo/oidcmd:ClientSecret

EntityDescriptor/SPSSODescriptor/ds:KeyDescriptor/ds:KeyInfo/oidcmd:ClientSecretKeyReference

Only one value per entity
redirect_uri

EntityDescriptor/SPSSODescriptor/AssertionConsumerService

Binding: 

https://tools.ietf.org/html/rfc6749#section-3.1.2

token_endpoint_auth_methodEntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:TokenEndpointAuthMethod
grant_typesEntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:GrantType
response_typesEntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:ResponseType
application_typeEntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:ApplicationType
client_nameEntityDescriptor/SPSSODescriptor/Extensions/mdui:UIInfo/mdui:DisplayName
client_uriEntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:ClientUri
logo_uriEntityDescriptor/SPSSODescriptor/Extensions/mdui:UIInfo/mdui:Logo
scopeEntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:Scope
contactsEntityDescriptor/ContactPerson/EmailAddress
tos_uriEntityDescriptor/SPSSODescriptor/Extensions/mdui:UIInfo/mdui:InformationURL
policy_uriEntityDescriptor/SPSSODescriptor/Extensions/mdui:UIInfo/mdui:PrivacyStatementURL
jwks_uriEntityDescriptor/SPSSODescriptor/ds:KeyDescriptor/ds:KeyInfo/oidcmd:JwkSetUri
jwksEntityDescriptor/SPSSODescriptor/ds:KeyDescriptor/ds:KeyInfo/oidcmd:JwkSetThe value is Base64-encoded JSON string
software_idEntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:SoftwareId
software_versionEntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:SoftwareVersion
sector_identifier_uriEntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:SectorIdentifierUri
subject_typeEntityDescriptor/SPSSODescriptor/NameIDFormatpublic or pairwise
id_token_signed_response_algEntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:IdTokenSignedResponseAlg
id_token_encrypted_response_algEntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:IdTokenEncryptedResponseAlg
id_token_encrypted_response_encEntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:IdTokenEncryptedResponseEnc
userinfo_signed_response_algEntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:UserInfoSignedResponseAlg
userinfo_encrypted_response_algEntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:UserInfoEncryptedResponseAlg
userinfo_encrypted_response_encEntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:UserInfoEncryptedResponseEnc
request_object_signing_algEntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:RequestObjectSigningAlg
request_object_encryption_algEntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:RequestObjectEncryptionAlg
request_object_encryption_encEntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:RequestObjectEncryptionEnc
token_endpoint_auth_signing_algEntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:TokenEndpointAuthSigningAlg
default_max_ageEntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/@defaultMaxAge
require_auth_timeEntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/@requireAuthTime
default_acr_valuesEntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:DefaultAcrValue
initiate_login_uriEntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:InitiateLoginUri
request_urisEntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:RequestUri
post_logout_redirect_urisEntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:PostLogoutRedirectUri
organization_nameEntityDescriptor/Organization/OrganizationName
  • No labels