Child pages
  • ShibbolethMetadataProfile

The Shibboleth 1.x software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.

Skip to end of metadata
Go to start of metadata

Shibboleth, as a general specification, relies on a pair of published SAML specifications and some additional guidelines, outlined in the Shibboleth Protocol Specification, the latest version of which can be found in the TechnicalSpecs topic.

As a practical matter, basic interoperability is not fully addressed by that specification because of gaps in the SAML specification and extensions defined by the Shibboleth implementation to address value-added features.

Herein, we define the additional assumptions, behavior, and supported features of the Shibboleth software itself.

Schema Extensions

The schema currently supported by ShibOnedotThree is in the namespace urn:mace:shibboleth:metadata:1.0 and is defined by this document.

At this time, it is expected that ShibTwodotZero will also support this schema, and will not define additional extensions.


Formerly <OriginSite> / <Domain> in older Shibboleth versions, this element is found in the <md:Extensions> element of an attribute-supplying role descriptor ( <md:IDPSSODescriptor> , <md:AttributeAuthorityDescriptor>). As of Shibboleth 2.0, the element can also be placed into the <md:Extensions> element of the <md:EntityDescriptor> element as well, applying to all roles.

Each element identifies a permissible attribute "scope" for the role. Scope is an attribute-specific concept used in Shibboleth to enhance the functionality of the AttributeAcceptancePolicy features.


Formerly <Trust> / <KeyAuthority> in older Shibboleth versions, this element is found in the <md:Extensions> element of the <md:EntitiesDescriptor> and <md:EntityDescriptor> elements.

Each element represents a set of input to a certificate path-building operation during transactions involving the roles or system entities contained within the parent element. Each <ds:KeyInfo> element represents a single trust anchor for such operations, generally an X.509 certificate.

The VerifyDepth attribute controls the maximum path length to allow, using the PKIX-specified definition of path length (which is basically one less than the actual chain length?)

  • No labels