shibboleth-dev - metadata examples

Subject: Shibboleth Developers

List archive

metadata examples

From: Tom Scavo <>
To: Shibboleth Development <>
Subject: metadata examples
Date: Sat, 13 Nov 2004 17:17:16 -0500
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type; b=mVUhRBkh8/leefoc5Fr1MSM0Z9SphBzLIkpLHLrrQIm3dq7yYSVOdGBCy8ChC++204xH5JIqz45OsRoytEoEaC3Hhm3V/5/qpagDMZ9HcmLZsE4Uo+i5aCd/V7YaZXbhOiIN3J+nAzG5zhk9YUU6YUkoiznRBv/FCi4i/qRHn/k=

Attached are two examples of metadata, one each for a Shibboleth IdP
and SP. I started with the two examples in the SAML2 Metadata doc,
applied the requirements in both the Shib Architecture doc and the
emerging SAML1 Metadata doc, and thereby arrived at these examples.
I'm sure there are errors, but perhaps they can be of some use.

Cheers,
Tom


<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
entityID="https://idp.edu/shibboleth/";>
<ds:Signature>...</ds:Signature>

<md:IDPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.0:protocol:v1.1
urn:mace:shibboleth:1.0">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:KeyName>IdP SSO Key</ds:KeyName>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:ArtifactResolutionService isDefault="true" index="0"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
Location="https://idp.edu/shibboleth/ArtifactResolution"/>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
</md:NameIDFormat>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</md:NameIDFormat>

<md:NameIDFormat>
urn:mace:shibboleth:1.0:nameIdentifier
</md:NameIDFormat>

<md:SingleSignOnService
Binding="urn:mace:shibboleth:1.0:profiles:SSO"
Location="https://idp.edu/shibboleth/SSO"/>
</md:IDPSSODescriptor>
<md:AttributeAuthorityDescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.0:protocol:v1.1">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:KeyName>IdP AA Key</ds:KeyName>
</ds:KeyInfo>
</md:KeyDescriptor>

<md:AttributeService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://idp.edu/shibboleth/AA/SOAP"/>

<saml:Attribute
AttributeName="urn:mace:eduPerson:1.0:eduPersonPrincipalName"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>

<saml:Attribute
AttributeName="urn:mace:eduPerson:1.0:eduPersonAffiliation"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
<saml:AttributeValue>member</saml:AttributeValue>
<saml:AttributeValue>student</saml:AttributeValue>
<saml:AttributeValue>faculty</saml:AttributeValue>
<saml:AttributeValue>employee</saml:AttributeValue>
<saml:AttributeValue>staff</saml:AttributeValue>
</saml:Attribute>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
</md:NameIDFormat>
<md:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</md:NameIDFormat>

<md:NameIDFormat>
urn:mace:shibboleth:1.0:nameIdentifier
</md:NameIDFormat>
</md:AttributeAuthorityDescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en">
Identity Provider University
</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">
Identity Provider University @ Some Location
</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en">
http://www.idp.edu/
</md:OrganizationURL>
</md:Organization>
</md:EntityDescriptor>

<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
entityID="https://sp.edu/shibboleth/";>
<ds:Signature>...</ds:Signature>
<md:SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.0:protocol:v1.1">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:KeyName>SP SSO Key</ds:KeyName>
</ds:KeyInfo>
</md:KeyDescriptor>

<md:NameIDFormat>
urn:mace:shibboleth:1.0:nameIdentifier
</md:NameIDFormat>
<md:AssertionConsumerService isDefault="true" index="0"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
Location="https://sp.edu/shibboleth/SSO/POST"/>
<md:AssertionConsumerService index="1"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
Location="https://sp.edu/shibboleth/SSO/Artifact"/>
<md:AttributeConsumingService index="0">
<md:ServiceName xml:lang="en">
Service Provider University Portal
</md:ServiceName>
<md:RequestedAttribute
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
FriendlyName="eduPersonEntitlement">
<saml:AttributeValue>
https://sp.edu/entitlements/123456789
</saml:AttributeValue>
</md:RequestedAttribute>
</md:AttributeConsumingService>
</md:SPSSODescriptor>

<md:AttributeConsumerDescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.0:protocol:v1.1">
<md:KeyDescriptor use="encryption">
<ds:KeyInfo>
<ds:KeyName>SP Encrypt Key</ds:KeyName>
</ds:KeyInfo>
<md:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
</KeyDescriptor>
<md:AttributeConsumingService index="0">
<md:ServiceName xml:lang="en">
Service Provider University Portal
</md:ServiceName>
<md:RequestedAttribute
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
FriendlyName="eduPersonEntitlement">
<saml:AttributeValue>
https://sp.edu/entitlements/123456789
</saml:AttributeValue>
</md:RequestedAttribute>
</md:AttributeConsumingService>
</md:AttributeConsumerDescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en">
Service Provider University
</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">
Service Provider University @ Some Location
</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en">
http://www.sp.edu/
</md:OrganizationURL>
</md:Organization>
</md:EntityDescriptor>

metadata examples, Tom Scavo, 11/13/2004

List archive

metadata examples