Skip to Content.
Sympa Menu

shibboleth-dev - Re: self service app to maintain Club Shib metadata, what metadata elements to access

Subject: Shibboleth Developers

List archive

Re: self service app to maintain Club Shib metadata, what metadata elements to access


Chronological Thread 
  • From: Tom Scavo <>
  • To: "" <>
  • Cc:
  • Subject: Re: self service app to maintain Club Shib metadata, what metadata elements to access
  • Date: Tue, 22 Feb 2005 22:50:24 -0500
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=qwoGK1Gi7ZBAHG0qTFCYuSxBwyuXa85rpk8zr/Igld5E5FZ1OFgbGyUGM+8gc9oCy4Z9j/sMPEaUuCBnC4wElF/uaL5u7Oz3kl26RBG5rZhrLXNuzxV/Q/bTJ3ym5q/Jj+co9m3T7Mn20w5ppf2Lek4P0Ga5RZ8vaz+/OhaE6Rs=
On Thu, 17 Feb 2005 12:43:13 -0500,

<>
wrote:
> a sample v2 metadata file can be viewed here:
> http://anoncvs.internet2.edu/cgi-bin/viewcvs.cgi/*checkout*/shibboleth/c/configs/IQ-sites.xml.in?rev=HEAD&content-type=text/plain

> EntityDescriptor/entityId -- the unique name of the entity. So far,
> we've been using a syntax of urn:mace:[federation name]:[org name]

(see other post in this thread)

> 1) Within the IDPSSODescriptor element, people would enter:
>
> -- domain (eg example.edu) one value

Where did this <shib:Domain> element come from? It's not mentioned in
the protocol spec...

> -- KeyDescriptor (paste in the self-signed cert)
> -- SingleSignOnService -- the url value of the Location attribute
> the program would assign default values to:
>
> -- NameIDFormat
> -- SingleSignOnService/Binding attribute

Should default to "<providerId>/SSO".

> 2) Within the AttributeAuthorityDescriptor element, people would enter:
>
> -- domain (same value as for IDSSO)

(same question here)

> -- AttributeService, url value for Location attribute
>
> the program would enter default values for:
>
> -- AttributeService/Binding attribute

Should default to "<providerId>/AA/SOAP".

> -- NameIDFormat
>
> 3) Within the SPSSODescriptor element, people would enter:
>
> -- KeyDescriptor (paste in a self-signed cert?)
> -- AssertionConsumerService, a url value for the Location attribute
>
> the program would provide default values for:
>
> -- SPSSODescriptor/protocolSupportEnumeration attribute
> -- NameIDFormat
> -- AssertionConsumerService/ Binding attribute

Possible bindings:
"urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
"urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"

Possible locations:
"<providerId>/SSO/POST"
"<providerId>/SSO/Artifact"

> 4) Within an Organization element, people would enter:
>
> -- OrganizationName
> -- OrganizationDisplayName
> -- OrganizationURL (optional)
> -- ContactPerson (only one of these elements)

Other comments:

- What about an <md:AttributeConsumingService> element in the
<md:SPSSODescriptor> element?

- Shouldn't there be two <md:EntityDescriptor> elements, one for the
IdP and one for the SP?

- Will each individual <md:EntityDescriptor> element be signed?

- Add urn:mace:shibboleth:1.0 to the protocolSupportEnumeration
attribute of the <md:IDPSSODescriptor> element.

- Add an <md:ArtifactResolutionService> element to the
<md:IDPSSODescriptor> element.

- Will additional values of <md:NameIDFormat> be allowed? How?

- Add an <md:KeyDescriptor> element to the
<md:AttributeAuthorityDescriptor> element.

- Why doesn't the <md:KeyDescriptor> element in the
<md:SPSSODescriptor> element have a use="signing" attribute?

- What about <saml:Attribute> element(s) in the
<md:AttributeAuthorityDescriptor> element?

Tom

Archive powered by MHonArc 2.6.16.

Top of Page