Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Metadata topic covers the general structure of metadata for any entity. This topic will specifically cover the parts that describe an SP. This is an overview of how to create metadata about an SP, which you will give to an IdP. If you're looking for the reverse, that's here.

Tip
titleShibboleth-Specific Tip

When first starting out, you can usually begin by relying on the SP software to generate an initial set of metadata about itself, once you've configured it, by accessing a URL like https://service.example.org/Shibboleth.sso/Metadata

This will only help if you've already configured the SP's entityID and credentials, and properly established the web server's virtual hostname information. Even then, it may not be exactly what you need, but it should be helpful to look at and edit from.

...

Tip
titleShibboleth-Specific Tip

The keys you identify in the metadata MUST match the keys you configure into the SP as credentials. If they don't match, your SP may be unable to decrypt information from the IdP, or will be unable to negotiate SOAP connections to query for attributes.

...

Tip
titleShibboleth-Specific Tip

The Location attribute of Logout endpoints is derived from the logout handlers defined in the SP. As with all SP handlers, the locations will typically be of the form scheme + vhost + "/Shibboleth.sso" + Location, where Location is determined from the handler element in the configuration.

The elements must also include a Binding attribute, which can be copied directly from the handler element in the configuration.

Note that each virtual host (combination of scheme, hostname, and port) operating within a particular SP MUST have its own set of endpoints expressed in the metadata.

...

Tip
titleShibboleth-Specific Tip

This isn't used all that often for Shibboleth SPs, which tend to be more attribute-centric in the use of SAML, but the 2.x IdP software can utilize this information in its format selection process.

It cannot be generated for you by the SP's metadata generator. It would need to be manually added, or if you want it included in the generated metadata, a "template" metadata file containing the information has to be supplied to the generator with the template property.

...

Tip
titleShibboleth-Specific Tip

The Location attribute of SSO endpoints is derived from the assertion consumer services defined in the SP. As with all SP handlers, the locations will typically be of the form scheme + vhost + "/Shibboleth.sso" + Location, where Location is determined from the handler element in the configuration.

The elements must also include a Binding attribute, which can be copied directly from the handler element in the configuration. You can generally copy the index attribute as well.

Note that each virtual host (combination of scheme, hostname, and port) operating within a particular SP MUST have its own set of endpoints expressed in the metadata.

...

Tip
titleShibboleth-Specific Tip

This content cannot be generated for you by the SP's metadata generator. It would need to be manually added, or if you want it included in the generated metadata, a "template" metadata file containing the information has to be supplied to the generator with the template property.

...

These examples are written to reflect the typical default configuration of a Shibboleth SP, but obviously specifics may vary. Note that it's very important that what you support match what you advertise. For example, if you have not properly integrated single logout into your application and user interface, then don't claim to support it.

Code Block
xml
xml
titleComplete Example Supporting SAML 2.0 and SAML 1.1xml
<md:EntityDescriptor entityID="https://service.example.org/shibboleth" validUntil="2010-01-01T00:00:00Z">

  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">

    <md:KeyDescriptor>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>
           ... base64-encoded certificate elided ...
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>

    <md:SingleLogoutService Location="https://service.example.org/Shibboleth.sso/SLO/SOAP"
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
    <md:SingleLogoutService Location="https://service.example.org/Shibboleth.sso/SLO/Redirect"
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
    <md:SingleLogoutService Location="https://service.example.org/Shibboleth.sso/SLO/POST"
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
    <md:SingleLogoutService Location="https://service.example.org/Shibboleth.sso/SLO/Artifact"
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>

    <md:AssertionConsumerService Location="https://service.example.org/Shibboleth.sso/SAML2/POST" index="1"
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
    <md:AssertionConsumerService Location="https://service.example.org/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
    <md:AssertionConsumerService Location="https://service.example.org/Shibboleth.sso/SAML2/Artifact" index="3"
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
    <md:AssertionConsumerService Location="https://service.example.org/Shibboleth.sso/SAML2/ECP" index="4"
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
    <md:AssertionConsumerService Location="https://service.example.org/Shibboleth.sso/SAML/POST" index="5"
      Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
    <md:AssertionConsumerService Location="https://service.example.org/Shibboleth.sso/SAML/Artifact" index="6"
      Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>

    <md:AttributeConsumingService index="1">
      <md:ServiceName xml:lang="en">Sample Service</md:ServiceName>
      <md:ServiceDescription xml:lang="en">An example service that requires a human-readable identifier and optional name and e-mail address.</md:ServiceDescription>

      <md:RequestedAttribute FriendlyName="eduPersonPrincipalName" Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
      <md:RequestedAttribute FriendlyName="mail" Name="urn:mace:dir:attribute-def:mail" NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
      <md:RequestedAttribute FriendlyName="displayName" Name="urn:mace:dir:attribute-def:displayName" NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>

      <md:RequestedAttribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
      <md:RequestedAttribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
      <md:RequestedAttribute FriendlyName="displayName" Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>

    </md:AttributeConsumingService>

  </md:SPSSODescriptor>

  <md:Organization>
    <md:OrganizationName xml:lang="en">Example Organization, Ltd.</md:OrganizationName>
    <md:OrganizationDisplayName xml:lang="en">Example Organization</md:OrganizationDisplayName>
    <md:OrganizationURL xml:lang="en">https://service.example.org/</md:OrganizationURL>
  </md:Organization>

</md:EntityDescriptor>
Code Block
xml
xml
titleComplete Example Supporting SAML 1.1 Onlyxml
<md:EntityDescriptor entityID="https://service.example.org/shibboleth" validUntil="2010-01-01T00:00:00Z">

  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">

    <md:KeyDescriptor>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>
           ... base64-encoded certificate elided ...
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>

    <md:AssertionConsumerService Location="https://service.example.org/Shibboleth.sso/SAML/POST" index="5"
      Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
    <md:AssertionConsumerService Location="https://service.example.org/Shibboleth.sso/SAML/Artifact" index="6"
      Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>

    <md:AttributeConsumingService index="1">
      <md:ServiceName xml:lang="en">Sample Service</md:ServiceName>
      <md:ServiceDescription xml:lang="en">An example service that requires a human-readable identifier and optional name and e-mail address.</md:ServiceDescription>
      <md:RequestedAttribute FriendlyName="eduPersonPrincipalName" Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
      <md:RequestedAttribute FriendlyName="mail" Name="urn:mace:dir:attribute-def:mail" NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
      <md:RequestedAttribute FriendlyName="displayName" Name="urn:mace:dir:attribute-def:displayName" NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
    </md:AttributeConsumingService>

  </md:SPSSODescriptor>

  <md:Organization>
    <md:OrganizationName xml:lang="en">Example Organization, Ltd.</md:OrganizationName>
    <md:OrganizationDisplayName xml:lang="en">Example Organization</md:OrganizationDisplayName>
    <md:OrganizationURL xml:lang="en">https://service.example.org/</md:OrganizationURL>
  </md:Organization>

</md:EntityDescriptor>