Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Tip
titleShibboleth-Specific Tip

When first starting out, you can usually begin by relying on the SP software to generate an initial set of metadata about itself, once you've configured it, by accessing a URL like https://service.example.org/Shibboleth.sso/Metadata

This will only help if you've already configured the SP's entityID and credentials, and properly established the web server's virtual hostname information. Even then, it may not be exactly what you need, but it should be helpful to look at and edit from.

Table of Contents

General Structure

SP metadata is contained within the <md:SPSSODescriptor> role element. As with all roles, you MUST include the proper protocolSupportEnumeration value to reflect the protocol families the SP supports, as descibed in the Metadata topic. Failure to do so will prevent the IdP from recognizing the SP properly.

...

  • the public key(s) used by the SP for authentication and encryption
  • endpoints of various types for communicating with it
  • explicitly supported name identifier formats, if any
  • descriptions of the "services" offered by the SP and the SAML attributes required by them

...

Tip
titleShibboleth-Specific Tip

This isn't used all that often for Shibboleth SPs, which tend to be more attribute-centric in the use of SAML, but the 2.x Shibboleth IdP software can utilize this information in its format selection process.

It cannot be generated for you by the SP's metadata generator. It would need to be manually added, or if you want it included in the generated metadata, a "template" metadata file containing the information has to be supplied to the generator with the template property.

...

Code Block
xml
xml
titleComplete Example Supporting SAML 2.0 and SAML 1.1

<md:EntityDescriptor entityID="https://service.example.org/shibboleth" validUntil="2010-01-01T00:00:00Z">

  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">

    <md:KeyDescriptor>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>
           ... base64-encoded certificate elided ...
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>

    <md:SingleLogoutService Location="https://service.example.org/Shibboleth.sso/SLO/SOAP"
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
    <md:SingleLogoutService Location="https://service.example.org/Shibboleth.sso/SLO/Redirect"
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
    <md:SingleLogoutService Location="https://service.example.org/Shibboleth.sso/SLO/POST"
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
    <md:SingleLogoutService Location="https://service.example.org/Shibboleth.sso/SLO/Artifact"
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>

    <md:AssertionConsumerService Location="https://service.example.org/Shibboleth.sso/SAML2/POST" index="1"
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
    <md:AssertionConsumerService Location="https://service.example.org/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
    <md:AssertionConsumerService Location="https://service.example.org/Shibboleth.sso/SAML2/Artifact" index="3"
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
    <md:AssertionConsumerService Location="https://service.example.org/Shibboleth.sso/SAML2/ECP" index="4"
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
    <md:AssertionConsumerService Location="https://service.example.org/Shibboleth.sso/SAML/POST" index="5"
      Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
    <md:AssertionConsumerService Location="https://service.example.org/Shibboleth.sso/SAML/Artifact" index="6"
      Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>

    <md:AttributeConsumingService index="1">
      <md:ServiceName xml:lang="en">Sample Service</md:ServiceName>
      <md:ServiceDescription xml:lang="en">An example service that requires a human-readable identifier and optional name and e-mail address.</md:ServiceDescription>

      <md:RequestedAttribute FriendlyName="eduPersonPrincipalName" Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
      <md:RequestedAttribute FriendlyName="mail" Name="urn:mace:dir:attribute-def:mail" NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
      <md:RequestedAttribute FriendlyName="displayName" Name="urn:mace:dir:attribute-def:displayName" NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>

      <md:RequestedAttribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
      <md:RequestedAttribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
      <md:RequestedAttribute FriendlyName="displayName" Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>

    </md:AttributeConsumingService>

  </md:SPSSODescriptor>

  <md:Organization>
    <md:OrganizationName xml:lang="en">Example Organization, Ltd.</md:OrganizationName>
    <md:OrganizationDisplayName xml:lang="en">Example Organization</md:OrganizationDisplayName>
    <md:OrganizationURL xml:lang="en">https://service.example.org/</md:OrganizationURL>
  </md:Organization>

</md:EntityDescriptor>
Code Block
xml
xml
titleComplete Example Supporting SAML 1.1 Only

<md:EntityDescriptor entityID="https://service.example.org/shibboleth" validUntil="2010-01-01T00:00:00Z">

  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">

    <md:KeyDescriptor>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>
           ... base64-encoded certificate elided ...
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>

    <md:AssertionConsumerService Location="https://service.example.org/Shibboleth.sso/SAML/POST" index="5"
      Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"/>
    <md:AssertionConsumerService Location="https://service.example.org/Shibboleth.sso/SAML/Artifact" index="6"
      Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"/>

    <md:AttributeConsumingService index="1">
      <md:ServiceName xml:lang="en">Sample Service</md:ServiceName>
      <md:ServiceDescription xml:lang="en">An example service that requires a human-readable identifier and optional name and e-mail address.</md:ServiceDescription>
      <md:RequestedAttribute FriendlyName="eduPersonPrincipalName" Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
      <md:RequestedAttribute FriendlyName="mail" Name="urn:mace:dir:attribute-def:mail" NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
      <md:RequestedAttribute FriendlyName="displayName" Name="urn:mace:dir:attribute-def:displayName" NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
    </md:AttributeConsumingService>

  </md:SPSSODescriptor>

  <md:Organization>
    <md:OrganizationName xml:lang="en">Example Organization, Ltd.</md:OrganizationName>
    <md:OrganizationDisplayName xml:lang="en">Example Organization</md:OrganizationDisplayName>
    <md:OrganizationURL xml:lang="en">https://service.example.org/</md:OrganizationURL>
  </md:Organization>

</md:EntityDescriptor>