shibboleth-dev - Example State metadata with SAML 2.0 schema
Subject: Shibboleth Developers
List archive
- From: "Scott Cantor" <>
- To: <>
- Subject: Example State metadata with SAML 2.0 schema
- Date: Thu, 26 Aug 2004 14:04:14 -0400
- Organization: The Ohio State University
At Howard's request, I'm attaching a proposed example of how we might
profile use of SAML 2 metadata for use by the existing Shibboleth code. The
schema used is the committee draft version.
I'll probably get back to editing the Shib protocol spec and start a new
section on this issue with a formal proposal.
The only place things became ugly was how to specify protocol support for
the IDP role, since the protocol request to the IdP is Shibboleth-defined,
and the result back out is SAML 1.x. So I went ahead and just put two URIs
into the attribute, to indicate support for both. The AA and SP roles are
cleaner, since it's just pure SAML.
The only other hack was to invent an approach to use in specifying the SAML
"binding" to use in the endpoints for the IdP SSO service (what we call the
HS) and the SP ACS (what we called the Shire URL). The profiles we use now
aren't defined as bindings in SAML 1.x-speak, but it's reasonable to stick a
profile URI in to indicate that a particular SHIRE endpoint expects the SAML
POST profile, and that a HS endpoint expects the Shibboleth authn request
URL string.
The metadata illustrates, among other things, indicating that the IdP only
supports the Shib-defined "handle" format, and explicitly lists the EPPN
attribute (though named by an OID, which I guess we're moving to) on both
ends.
I used ds:KeyName in the KeyDescriptors to show how we can map the existing
approach of naming certificates and using the trust file. We will obviously
allow embedding certs directly in the metadata though, which the code
currently handles but the old metadata can't.
To clarify, I'm just hand-wavy inventing this. It's not defined by the spec,
and there is no interop intended with SAML 1.x via this approach, unless the
TC decides to go back and profile it for SAML 1.1, which I don't think will
happen. It's just a convenience for the Shib project to have a consistent
format that can be supported across software versions.
-- Scott
<EntitiesDescriptor Name="urn:mace:inqueue"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata sstc-saml-schema-metadata-2.0.xsd"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<EntityDescriptor entityID="urn:mace:inqueue:example.edu">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.0:protocol urn:mace:shibboleth:1.0"
errorURL="http://wayf.internet2.edu/InQueue/error.html";>
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:KeyName>wayf.internet2.edu</ds:KeyName>
</ds:KeyInfo>
</KeyDescriptor>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<SingleSignOnService Binding="urn:mace:shibboleth:1.0"
Location="https://wayf.internet2.edu/shibboleth-1.2/HS"/>
</IDPSSODescriptor>
<AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.0:protocol"
errorURL="http://wayf.internet2.edu/InQueue/error.html";>
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:KeyName>wayf.internet2.edu</ds:KeyName>
</ds:KeyInfo>
</KeyDescriptor>
<AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
Location="https://wayf.internet2.edu/shibboleth-1.2/AA"/>
<saml:Attribute NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" FriendlyName="eduPersonPrincipalName"/>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
</AttributeAuthorityDescriptor>
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:KeyName>wayf.internet2.edu</ds:KeyName>
</ds:KeyInfo>
</KeyDescriptor>
<AssertionConsumerService isDefault="true" index="0"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
Location="https://wayf.internet2.edu/Shibboleth.shire"/>
</SPSSODescriptor>
<AttributeConsumerDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:KeyName>wayf.internet2.edu</ds:KeyName>
</ds:KeyInfo>
</KeyDescriptor>
<AttributeConsumingService index="0">
<ServiceName xml:lang="en">
InQueue Sample Service
</ServiceName>
<RequestedAttribute NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" FriendlyName="eduPersonPrincipalName"/>
</AttributeConsumingService>
</AttributeConsumerDescriptor>
<Organization>
<OrganizationName xml:lang="en">
Example State University
</OrganizationName>
<OrganizationDisplayName xml:lang="en">
Example State University
</OrganizationDisplayName>
<OrganizationURL xml:lang="en">
https://wayf.internet2.edu/
</OrganizationURL>
</Organization>
<ContactPerson contactType="technical">
<Company>Internet2</Company>
<GivenName>InQueue Support</GivenName>
<EmailAddress>mailto:</EmailAddress>
</ContactPerson>
</EntityDescriptor>
</EntitiesDescriptor>
- Example State metadata with SAML 2.0 schema, Scott Cantor, 08/26/2004
Archive powered by MHonArc 2.6.16.