...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:oidcmd="urn:mace:shibboleth:metadata:oidc:1.0"
entityID="mockSamlClientId">
<md:SPSSODescriptor protocolSupportEnumeration="http://openid.net/specs/openid-connect-core-1_0.html">
<md:Extensions>
<oidcmd:OAuthRPExtensions>
OAuthRPExtensions
grant_types="authorization_code"
response_types="code"
token_endpoint_auth_method="client_secret_basic"
scopes="openid profile" />
<oidcmd:GrantType>authorization_code</oidcmd:GrantType></md:Extensions>
<md:KeyDescriptor>
<oidcmd:ResponseType>code</oidcmd:ResponseType><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<oidcmd:ApplicationType>web<ClientSecret>mockClientSecretValue</oidcmd:ApplicationType>ClientSecret>
<oidcmd:TokenEndpointAuthMethod>client_secret_basic</oidcmd:TokenEndpointAuthMethod></ds:KeyInfo>
</md:KeyDescriptor>
<oidcmd<md:Scope>openid</oidcmd:Scope>NameIDFormat>urn:mace:shibboleth:metadata:oidc:1.0:nameid-format:public</md:NameIDFormat>
<md:AssertionConsumerService
<oidcmd:Scope>profile</oidcmd:Scope> </oidcmd:OAuthRPExtensions>
Binding="https://tools.ietf.org/html/rfc6749#section-3.1.2"
</md:Extensions> <md:KeyDescriptor>
<ds:KeyInfo xmlns:ds="httpLocation="https://wwwexample.w3.org/2000/09/xmldsig#cb">
<oidcmd:ClientSecret>mockClientSecretValue</oidcmd:ClientSecret>
index="1"/>
</dsmd:KeyInfo>
SPSSODescriptor>
</md:KeyDescriptor>EntityDescriptor> |
An example representing an OIDC RP with client secret value reference. The reference key (mockClientSecretKey) is exploited by client secret value resolvers, which are out of scope of this profile.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<md:EntityDescriptor <md:NameIDFormat>urn:mace:shibboleth:metadata:oidc:1.0:nameid-format:public</md:NameIDFormat>xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" <md:AssertionConsumerServicexmlns:oidcmd="urn:mace:shibboleth:metadata:oidc:1.0" entityID="mockSamlClientId"> Binding<md:SPSSODescriptor protocolSupportEnumeration="httpshttp://toolsopenid.ietf.orgnet/htmlspecs/rfc6749#section-3.1.2"openid-connect-core-1_0.html"> Location="https://example.org/cb"<md:Extensions> <oidcmd:OAuthRPExtensions index="1"/> </md:SPSSODescriptor> </md:EntityDescriptor> |
An example representing an OIDC RP with client secret value reference. The reference key (mockClientSecretKey) is exploited by client secret value resolvers, which are out of scope of this profile.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<md:EntityDescriptor grant_types="authorization_code" response_types="code" token_endpoint_auth_method="client_secret_basic" scopes="openid profile" /> </md:Extensions> <md:KeyDescriptor> <ds:KeyInfo xmlns:mdds="urn:oasis:names:tc:SAML:2.0:metadata"http://www.w3.org/2000/09/xmldsig#"> xmlns:oidcmd="urn:mace:shibboleth:metadata:oidc:1.0" <oidcmd:ClientSecretKeyReference>mockClientSecretKey</oidcmd:ClientSecretKeyReference> </ds:KeyInfo> entityID="mockSamlClientId"> <md</md:SPSSODescriptor protocolSupportEnumeration="http://openid.net/specs/openid-connect-core-1_0.html">KeyDescriptor> <md:Extensions>NameIDFormat>urn:mace:shibboleth:metadata:oidc:1.0:nameid-format:pairwise</md:NameIDFormat> <oidcmd:OAuthRPExtensions><md:AssertionConsumerService <oidcmd:GrantType>authorization_code</oidcmd:GrantType>Binding="https://tools.ietf.org/html/rfc6749#section-3.1.2" <oidcmd:ResponseType>code</oidcmd:ResponseType>Location="https://example.com/callback" <oidcmd:ApplicationType>web</oidcmd:ApplicationType>index="1"/> <oidcmd:TokenEndpointAuthMethod>client_secret_post</oidcmd:TokenEndpointAuthMethod> <oidcmd:Scope>openid</oidcmd:Scope></md:SPSSODescriptor> </md:EntityDescriptor> |
An example representing an OIDC RP with multiple public keys configured in the metadata. They're all taken into account and transformed into a JSON Web Key set, with ds:KeyName being used as a key identifier (kid).
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<md:EntityDescriptor <oidcmd:Scope>profile</oidcmd:Scope>xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" </oidcmd:OAuthRPExtensions>xmlns:oidcmd="urn:mace:shibboleth:metadata:oidc:1.0" entityID="mockSamlClientId"> </md:Extensions><md:SPSSODescriptor protocolSupportEnumeration="http://openid.net/specs/openid-connect-core-1_0.html"> <md:KeyDescriptor>Extensions> <ds<oidcmd:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> OAuthRPExtensions grant_types="authorization_code" response_types="code" token_endpoint_auth_method="private_key_jwt" scopes="openid profile" /> </md:Extensions> <oidcmd:ClientSecretKeyReference>mockClientSecretKey</oidcmd:ClientSecretKeyReference> <md:KeyDescriptor use="signing"> </ds:KeyInfo><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <<ds:KeyName>mockX509RSA</mdds:KeyDescriptor>KeyName> <md:NameIDFormat>urn:mace:shibboleth:metadata:oidc:1.0:nameid-format:pairwise</md:NameIDFormat> <md<ds:AssertionConsumerServiceX509Data> Binding="https://tools.ietf.org/html/rfc6749#section-3.1.2" <ds:X509Certificate> Location="https://example.com/callback" MIIEQDCCAqigAwIBAgIVAIarXvdvyS47KJR7U40FlTufyD8vMA0GCSqGSIb3DQEB index="1"/> CwUAMCAxHjAcBgNVBAMMFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0xOTA2MTcx </md:SPSSODescriptor> </md:EntityDescriptor> |
An example representing an OIDC RP with multiple public keys configured in the metadata. They're all taken into account and transformed into a JSON Web Key set, with ds:KeyName being used as a key identifier (kid).
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" MTI5MTJaFw0zOTA2MTcxMTI5MTJaMCAxHjAcBgNVBAMMFWxvY2FsaG9zdC5sb2Nh xmlns:oidcmd="urn:mace:shibboleth:metadata:oidc:1.0" entityID="mockSamlClientId"> <md:SPSSODescriptor protocolSupportEnumeration="http://openid.net/specs/openid-connect-core-1_0.html"> bGRvbWFpbjCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALXysGFnoBFh <md:Extensions> <oidcmd:OAuthRPExtensions> oasd5uMecp9OTBjvztntPUVmHfm4R3AcItEMEZEN/pETcX/wgKdo4qCBq4PrZITa <oidcmd:GrantType>authorization_code</oidcmd:GrantType> <oidcmd:ResponseType>code</oidcmd:ResponseType>T8Salgl0XL6qF1Wia3JNA7Hh/OaoQEUsbsHgsjLMKt6MJh8vIaE1o8loL7Ay4WmZ <oidcmd:ApplicationType>web</oidcmd:ApplicationType> Cr3wc8ZS6CpMsv+qbxkyfl1h7MTydETnQhg/X83bj+BjJSh7QeFU0d0SWK1dN2/D <oidcmd:TokenEndpointAuthMethod>private_key_jwt</oidcmd:TokenEndpointAuthMethod> <oidcmd:Scope>openid</oidcmd:Scope>nFoGOfuTfVqeDRIwMxKlR5G//8N202sLaG28NljaHhLn3jHXeiGpCQ+Q2X90dkFb <oidcmd:Scope>profile</oidcmd:Scope> EKb6sQ6SlDUAzm9MwLYjglDyOhXpUqOnvD67nggLb4Gn/4k+g5wtdfr7unOJYcHK </oidcmd:OAuthRPExtensions> </md:Extensions> <md:KeyDescriptor use="signing"> w7JGnI8Gd0lJMd6B3SpkhUOWgKv/D6HIBArhqSEmXuTyy8FewyYuo1XkIw/Lu3bB <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> 9qoBojM1tygoGlKi7R7e719J+DSkhyGbMyQ59leoN97iGGgqjUWS5mew8zSNviyz <ds:KeyName>mockX509RSA</ds:KeyName> <ds:X509Data> 4uGqvxmLWU9UTH1YhlARsBF1bMiMnwLz7dF74AaAkC4pN3BYzDMyHQIDAQABo3Ew <ds:X509Certificate> bzAdBgNVHQ4EFgQUwKUd9D1Qymu2oBEVTscrAhP+sIUwTgYDVR0RBEcwRYIVbG9j MIIEQDCCAqigAwIBAgIVAIarXvdvyS47KJR7U40FlTufyD8vMA0GCSqGSIb3DQEB YWxob3N0LmxvY2FsZG9tYWluhixodHRwczovL2xvY2FsaG9zdC5sb2NhbGRvbWFp CwUAMCAxHjAcBgNVBAMMFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0xOTA2MTcx bi9pZHAvc2hpYmJvbGV0aDANBgkqhkiG9w0BAQsFAAOCAYEAEYqh54a+j5OuR1UB MTI5MTJaFw0zOTA2MTcxMTI5MTJaMCAxHjAcBgNVBAMMFWxvY2FsaG9zdC5sb2Nh /AT9k2xXVwHiqQXAC/2un8O5BWAOeOq9+0gLJO5yaJp5c9GjPXRJmnDfGP9HFF6R bGRvbWFpbjCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALXysGFnoBFh CjngtRCm1gV/fpj97IRQS5oroaeTWPQ9ZD5+ogs5DNt6UZeJ2GqpfA5mOytNg3cM oasd5uMecp9OTBjvztntPUVmHfm4R3AcItEMEZEN/pETcX/wgKdo4qCBq4PrZITa OP1B5QnA1apOaG4FHTegJR7WOIXkkAjEJUy6R+5Q6At7DdK/SRrP5onVPFv2HgGF T8Salgl0XL6qF1Wia3JNA7Hh/OaoQEUsbsHgsjLMKt6MJh8vIaE1o8loL7Ay4WmZ E9v9iX/uQepDizS5F2oi6LZCl1/b38gxA8BFL7VZu53JQguaA7SrnP+dBOErT/yh Cr3wc8ZS6CpMsv+qbxkyfl1h7MTydETnQhg/X83bj+BjJSh7QeFU0d0SWK1dN2/D Qcx3e9wE2ms8H1qISIdl3e7gvLi5jEyDWC9Agde6EjjvVVJAF7jR0puQ39mBfoxP nFoGOfuTfVqeDRIwMxKlR5G//8N202sLaG28NljaHhLn3jHXeiGpCQ+Q2X90dkFb moVdHJQmCt3V7Ew9tYZUpG3rjp4YNXOiM+QhtwhHWT94q9uJKUQ6JvbxgLNDs5KM EKb6sQ6SlDUAzm9MwLYjglDyOhXpUqOnvD67nggLb4Gn/4k+g5wtdfr7unOJYcHK 3PENx2C60TPFne9nRRIMVDavU4wwY7GdCgeo8PiZ5zxI0ZCkxh38ODePtKQrxJ7i w7JGnI8Gd0lJMd6B3SpkhUOWgKv/D6HIBArhqSEmXuTyy8FewyYuo1XkIw/Lu3bB E0J1BE2LIxa1T7KY0XKpsH0iI2dNfZfNpNp4v/HiDb4svYgq</ds:X509Certificate> 9qoBojM1tygoGlKi7R7e719J+DSkhyGbMyQ59leoN97iGGgqjUWS5mew8zSNviyz</ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> 4uGqvxmLWU9UTH1YhlARsBF1bMiMnwLz7dF74AaAkC4pN3BYzDMyHQIDAQABo3Ew <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> bzAdBgNVHQ4EFgQUwKUd9D1Qymu2oBEVTscrAhP+sIUwTgYDVR0RBEcwRYIVbG9j <ds:KeyName>mockX509EC</ds:KeyName> YWxob3N0LmxvY2FsZG9tYWluhixodHRwczovL2xvY2FsaG9zdC5sb2NhbGRvbWFp <ds:X509Data> bi9pZHAvc2hpYmJvbGV0aDANBgkqhkiG9w0BAQsFAAOCAYEAEYqh54a+j5OuR1UB<ds:X509Certificate> /AT9k2xXVwHiqQXAC/2un8O5BWAOeOq9+0gLJO5yaJp5c9GjPXRJmnDfGP9HFF6RMIIBKDCBzgIJAOYlspXlaqguMAoGCCqGSM49BAMCMBwxCzAJBgNVBAYTAkZJMQ0w CjngtRCm1gV/fpj97IRQS5oroaeTWPQ9ZD5+ogs5DNt6UZeJ2GqpfA5mOytNg3cMCwYDVQQDDAR0ZXN0MB4XDTE5MTEwMTA4Mjg0OVoXDTIwMTAzMTA4Mjg0OVowHDEL OP1B5QnA1apOaG4FHTegJR7WOIXkkAjEJUy6R+5Q6At7DdK/SRrP5onVPFv2HgGFMAkGA1UEBhMCRkkxDTALBgNVBAMMBHRlc3QwWTATBgcqhkjOPQIBBggqhkjOPQMB E9v9iX/uQepDizS5F2oi6LZCl1/b38gxA8BFL7VZu53JQguaA7SrnP+dBOErT/yhBwNCAARCUOlFMtRj3MIbdCzXmoGz4giDwjzPoX4AxMehhlXmPOodQhLDdvDqx3KE Qcx3e9wE2ms8H1qISIdl3e7gvLi5jEyDWC9Agde6EjjvVVJAF7jR0puQ39mBfoxPhqadzIIsKHRQPDycscpHWpPbaQ2VMAoGCCqGSM49BAMCA0kAMEYCIQCVykSuUjlX moVdHJQmCt3V7Ew9tYZUpG3rjp4YNXOiM+QhtwhHWT94q9uJKUQ6JvbxgLNDs5KMj4lxI6YqgYVuuhL2rG4hIrXw/pCey7eF2gIhAOSSaS025lQWy09W4NlnO28OkHoI 3PENx2C60TPFne9nRRIMVDavU4wwY7GdCgeo8PiZ5zxI0ZCkxh38ODePtKQrxJ7i+Hbap7+DQlhbbr2d</ds:X509Certificate> </ds:X509Data> E0J1BE2LIxa1T7KY0XKpsH0iI2dNfZfNpNp4v/HiDb4svYgq</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:KeyName>mockX509EC<KeyName>mockRSA</ds:KeyName> <ds:X509Data>KeyValue> <ds:X509Certificate>RSAKeyValue> MIIBKDCBzgIJAOYlspXlaqguMAoGCCqGSM49BAMCMBwxCzAJBgNVBAYTAkZJMQ0w<ds:Modulus> CwYDVQQDDAR0ZXN0MB4XDTE5MTEwMTA4Mjg0OVoXDTIwMTAzMTA4Mjg0OVowHDEL AMP1p7GwPH64UPvBKD4DK0I6SDY7dtFPzL7L5qAIEJwIBBeDmLfVY/f9mLzDuDb19XzQxc6GEcjj MAkGA1UEBhMCRkkxDTALBgNVBAMMBHRlc3QwWTATBgcqhkjOPQIBBggqhkjOPQMB K8qRe7JAD3CE1IXXD0hKSOJ7H+chWS84iv7UNukbHHBO1oaRgfHh7vbX7HnpYMoqKK75rfiQqD9e BwNCAARCUOlFMtRj3MIbdCzXmoGz4giDwjzPoX4AxMehhlXmPOodQhLDdvDqx3KE XOa2FLiH1QvnhLGKJcN+OKujetTgAhxE7ski9Gtfhhbt1qCEl7XtaUCLLexyrwWxx+NRxFgMU+nt hqadzIIsKHRQPDycscpHWpPbaQ2VMAoGCCqGSM49BAMCA0kAMEYCIQCVykSuUjlX IZQ+T8ii+JQSWnRh14PGc+K9o1dp+vjse62hFprVQhhcbAKAkWpbup77NvvuTZ2+AtUhOuNHrH2I j4lxI6YqgYVuuhL2rG4hIrXw/pCey7eF2gIhAOSSaS025lQWy09W4NlnO28OkHoI +Hbap7+DQlhbbr2d<X3jHeSWH7EzTGkPLGS6bFnYJQBqWv0POytfSyMM=</ds:X509Certificate>Modulus> <<ds:Exponent>AQAB</ds:X509Data>Exponent> </ds:KeyInfo>RSAKeyValue> </md:KeyDescriptor> <md:KeyDescriptor use="signing"></ds:KeyValue> </ds:KeyInfo> </md:KeyDescriptor> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:KeyName>mockRSA<KeyName>mockJwkId</ds:KeyName> <ds<oidcmd:KeyValue>JwksData> <ds:RSAKeyValue>ewogICJrdHkiOiAiUlNBIiwKICAiZSI6ICJBUUFCIiwKICAia2lkIjogIm1vY2siLAogICJhbGci OiAiUlMyNTYiLAogICJuIjogInBKcHRScnpyRlhEUnBaWkdpRmc1eW9KeVRPMlphUENSNEcwbjEx <ds:Modulus> aUVSclBTdlVYX202Qmdvak5qVEZISk1pa19pbGhtVzY0Q3JLdGlMdklRTFF6VWV5RXdDZHdYZVB3 AMP1p7GwPH64UPvBKD4DK0I6SDY7dtFPzL7L5qAIEJwIBBeDmLfVY/f9mLzDuDb19XzQxc6GEcjj UVpNeEV4VDJPV2thQy1DV0ZJNHR4X2VFWGRkUGtja1NMRERhMEVQd3dzWktQUFhoRTNWNTBfZ3pW K8qRe7JAD3CE1IXXD0hKSOJ7H+chWS84iv7UNukbHHBO1oaRgfHh7vbX7HnpYMoqKK75rfiQqD9e VDJZQVRvRE9fMmoyeGpWcHFzU0dFc0xpYjZqLW52dFpVVV9CMHNHeUppR1ZzMkpUTmhCTVNrT2tR Zks2NkNCcW1sbzBuUE5NYVIxbWl2dG5JUG1aNnJKVHcwUDVZZ0dFS1hmZjBsa25Ib25ZVmRsVktw XOa2FLiH1QvnhLGKJcN+OKujetTgAhxE7ski9Gtfhhbt1qCEl7XtaUCLLexyrwWxx+NRxFgMU+nt c0Q4VW5hY0JzdFlyeUhsM0NQR2Uyc3RmR2ExZ3N6NEdIVGVfRnlWVk04UlNoQ2dYVVo3MTdoenpf IZQ+T8ii+JQSWnRh14PGc+K9o1dp+vjse62hFprVQhhcbAKAkWpbup77NvvuTZ2+AtUhOuNHrH2I X3jHeSWH7EzTGkPLGS6bFnYJQBqWv0POytfSyMM=</ds:Modulus> <ds:Exponent>AQAB</ds:Exponent> </ds:RSAKeyValue> </ds:KeyValue> </ds:KeyInfo> </md:KeyDescriptor> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:KeyName>mockJwkId</ds:KeyName> <oidcmd:JwksData> ewogICJrdHkiOiAiUlNBIiwKICAiZSI6ICJBUUFCIiwKICAia2lkIjogIm1vY2siLAogICJhbGci OiAiUlMyNTYiLAogICJuIjogInBKcHRScnpyRlhEUnBaWkdpRmc1eW9KeVRPMlphUENSNEcwbjEx aUVSclBTdlVYX202Qmdvak5qVEZISk1pa19pbGhtVzY0Q3JLdGlMdklRTFF6VWV5RXdDZHdYZVB3 UVpNeEV4VDJPV2thQy1DV0ZJNHR4X2VFWGRkUGtja1NMRERhMEVQd3dzWktQUFhoRTNWNTBfZ3pW VDJZQVRvRE9fMmoyeGpWcHFzU0dFc0xpYjZqLW52dFpVVV9CMHNHeUppR1ZzMkpUTmhCTVNrT2tR Zks2NkNCcW1sbzBuUE5NYVIxbWl2dG5JUG1aNnJKVHcwUDVZZ0dFS1hmZjBsa25Ib25ZVmRsVktw c0Q4VW5hY0JzdFlyeUhsM0NQR2Uyc3RmR2ExZ3N6NEdIVGVfRnlWVk04UlNoQ2dYVVo3MTdoenpf ekdQaVhDQkw0ZktEek5ZUXpIUSIKfQo=</oidcmd:JwksData> </ds:KeyInfo> </md:KeyDescriptor> <md:NameIDFormat>urn:mace:shibboleth:metadata:oidc:1.0:nameid-format:public</md:NameIDFormat> <md:AssertionConsumerService Binding="https://tools.ietf.org/html/rfc6749#section-3.1.2" Location="https://example.org/cb" index="1"/> </md:SPSSODescriptor> </md:EntityDescriptor> |
Mappings between the JSON claims and SAML metadata elements
The definitions for the JSON claims can be found from the following specifications:
OAuth 2.0 Dynamic Client Registration protocol: https://tools.ietf.org/html/rfc7591
OIDC Dynamic Client Registration: https://openid.net/specs/openid-connect-registration-1_0.html
OIDC session management spec: https://openid.net/specs/openid-connect-session-1_0.html
OIDC federation spec (draft): https://openid.net/specs/openid-connect-federation-1_0.html
XML namespaces:
...
ekdQaVhDQkw0ZktEek5ZUXpIUSIKfQo=</oidcmd:JwksData> </ds:KeyInfo> </md:KeyDescriptor> <md:NameIDFormat>urn:mace:shibboleth:metadata:oidc:1.0 |
...
EntityDescriptor/SPSSODescriptor/ds:KeyDescriptor/ds:KeyInfo/oidcmd:ClientSecret
EntityDescriptor/SPSSODescriptor/ds:KeyDescriptor/ds:KeyInfo/oidcmd:ClientSecretKeyReference
...
EntityDescriptor/SPSSODescriptor/AssertionConsumerService
Binding:
:nameid-format:public</md:NameIDFormat>
<md:AssertionConsumerService
Binding="https://tools.ietf.org/html/rfc6749#section-3.1.2"
Location="https://example.org/cb"
index="1"/>
</md:SPSSODescriptor>
</md:EntityDescriptor> |
Mappings between the JSON claims and SAML metadata elements
The definitions for the JSON claims can be found from the following specifications:
OAuth 2.0 Dynamic Client Registration protocol: https://tools.ietf.org/html/
...
OIDC Dynamic Client Registration: https://openid.net/specs/openid-connect-registration-1_0.html
OIDC session management spec: https://openid.net/specs/openid-connect-session-1_0.html
OIDC federation spec (draft): https://openid.net/specs/openid-connect-federation-1_0.html
XML namespaces:
- default (no prefix):
urn:oasis:names:tc:SAML:2.0:metadata - mdui:
urn:oasis:names:tc:SAML:metadata:ui - ds:
http://www.w3.org/2000/09/xmldsig# - oidcmd:
urn:mace:shibboleth:metadata:oidc:1.0
| JSON claim | SAML metadata location | Notes | ||||||
|---|---|---|---|---|---|---|---|---|
| client_id | EntityDescriptor/@entityID | |||||||
| client_secret | EntityDescriptor/SPSSODescriptor/ds:KeyDescriptor/ds:KeyInfo/oidcmd:ClientSecret EntityDescriptor/SPSSODescriptor/ds:KeyDescriptor/ds:KeyInfo/oidcmd:ClientSecretKeyReference | Only one value per entity | ||||||
| subjectredirect_typeuri | EntityDescriptor/SPSSODescriptor/ NameIDFormatAssertionConsumerService | One of: urn:mace:shibboleth:metadata:oidc:1.0:nameid-format:pairwise Binding:
| ||||||
token_endpoint_auth_method application_type client_uri software_id software_version sector_identifier_uri id_token_signed_response_alg | EntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:IdTokenSignedResponseAlg | Only one value per entity | id_token id_token_encrypted_response_alg id_token_encrypted_response_enc userinfo_signed_response_alg userinfo_encrypted_response_alg | EntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:IdTokenEncryptedResponseAlg | Only one value per entity | id_token userinfo_encrypted_response_enc | EntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:IdTokenEncryptedResponseEnc | Only one value per entity |
| userinfo_signed_response_alg | EntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:UserInfoSignedResponseAlg | Only one value per entity | ||||||
| userinfo_encrypted_response_alg request_object_signing_alg request_object_encryption_alg request_object_encryption_enc token_endpoint_auth_signing_alg default_max_age require_auth_time initiate_login_uri | Like-named XML Attributes defined on: EntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions /oidcmd:UserInfoEncryptedResponseAlg | Only one value per entity | userinfo_encrypted_response_enc | These are single-valued claims that map directly into XML Attributes in a metadata extension element. | ||||
grant_types response_types scopes | Like-named XML Attributes defined on: EntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions /oidcmd:UserInfoEncryptedResponseEnc | Only one value per entity | request_object_signing_alg | These are multiple-valued claims that map directly into XML Attributes in a metadata extension element. Multiple values are supplied using a space-delimited list. | ||||
| client_name | EntityDescriptor/SPSSODescriptor/Extensions/oidcmdmdui:OAuthRPExtensionsUIInfo/oidcmdmdui:RequestObjectSigningAlg | Only one value per entity | request_object_encryption_algDisplayName | |||||
| logo_uri | EntityDescriptor/SPSSODescriptor/Extensions/oidcmdmdui:OAuthRPExtensionsUIInfo/oidcmdmdui:RequestObjectEncryptionAlg | Only one value per entity | request_object_encryption_encLogo | |||||
| contacts | EntityDescriptor/ContactPerson/EmailAddress | |||||||
| organization_name | EntityDescriptor/Organization/OrganizationName | |||||||
| tos_uri | EntityDescriptor/SPSSODescriptor/Extensions/oidcmdmdui:OAuthRPExtensionsUIInfo/oidcmdmdui:RequestObjectEncryptionEnc | Only one value per entity | token_endpoint_auth_signing_algInformationURL | |||||
| policy_uri | EntityDescriptor/SPSSODescriptor/Extensions/oidcmdmdui:OAuthRPExtensionsUIInfo/oidcmdmdui:TokenEndpointAuthSigningAlg | Only one value per entity | default_max_agePrivacyStatementURL | |||||
| jwks_uri | EntityDescriptor/SPSSODescriptor/Extensions/ds:KeyDescriptor/ds:KeyInfo/oidcmd:OAuthRPExtensions/@defaultMaxAge | require_auth_time | EntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/@requireAuthTime | default_acr_values | EntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:DefaultAcrValue | initiate_login_uriJwksUri | ||
| jwks | EntityDescriptor/SPSSODescriptor/ds:KeyDescriptor/ds:KeyInfo/oidcmd:JwksData | The value is Base64-encoded JSON string | ||||||
| subject_type | EntityDescriptor/SPSSODescriptor/NameIDFormat | One of:
| ||||||
| default_acr_values | EntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:InitiateLoginUri | Only one value per entitydefault_acr_value | Each value is defined in an extension element. | |||||
| request_uris | EntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:RequestUrirequest_uri | Each value is defined in an extension element. | ||||||
| post_logout_redirect_uris | EntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:PostLogoutRedirectUri | organization_name | EntityDescriptor/Organization/OrganizationNamepost_logout_redirect_uri | Each value is defined in an extension element. |