Versions Compared

Old Version 1

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 2

changes.mady.by.user ndk@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The corresponding structure in the metadata for this new certificate would be:

Code Block
	&lt;ds<ds:KeyInfo xmlns:ds=&quot;"http://www.w3.org/2000/09/xmldsig#&quot;&gt;">
		&lt;ds:KeyName&gt;idp<ds:KeyName>idp.supervillain.edu&lt;edu</ds:KeyName&gt;KeyName>
	&lt;</ds:KeyInfo&gt;KeyInfo>

One or more trusted roots that signed the certificates used within the federation must then also be added so that the certificates can be verified. This is done by placing an Extensions element within the main EntitiesDescriptor element, but before any EntityDescriptor element, such as:

Code Block
	&lt;Extensions&gt;<Extensions>
		&lt;shibmd<shibmd:KeyAuthority xmlns:shibmd=&quot;"urn:mace:shibboleth:metadata:1.0&quot;" VerifyDepth=&quot;5&quot;&gt;"5">
			&lt;<!-- Supervillain CA --&gt;>
			&lt;ds<ds:KeyInfo xmlns:ds=&quot;"http://www.w3.org/2000/09/xmldsig#&quot;&gt;">
				&lt;ds:X509Data&gt;<ds:X509Data>
					&lt;ds:X509Certificate&gt;<ds:X509Certificate>
MIIExzCCA6+gAwIBAgIJAM+MlFr0Sth6MA0GCSqGSIb3DQEBBQUAMIGdMR8wHQYD
VQQDExZTdXBlcnZpbGxhaW46IFRoZSBSb290MQswCQYDVQQGEwJVUzERMA8GA1UE
CBMITmV3IFlvcmsxDzANBgNVBAcTBkdvdGhhbTEgMB4GA1UEChMXU3VwZXJ2aWxs
YWluIFVuaXZlcnNpdHkxJzAlBgkqhkiG9w0BCQEWGHBlbmd1aW5Ac3VwZXJ2aWxs
YWluLmVkdTAeFw0wNjA4MTcxOTU5NTNaFw0xMTA4MTYxOTU5NTNaMIGdMR8wHQYD
VQQDExZTdXBlcnZpbGxhaW46IFRoZSBSb290MQswCQYDVQQGEwJVUzERMA8GA1UE
CBMITmV3IFlvcmsxDzANBgNVBAcTBkdvdGhhbTEgMB4GA1UEChMXU3VwZXJ2aWxs
YWluIFVuaXZlcnNpdHkxJzAlBgkqhkiG9w0BCQEWGHBlbmd1aW5Ac3VwZXJ2aWxs
YWluLmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL6uFqas4dK6
A2wTZL0viRQNJrPyFnFBDSZGib/2ijhgzed/vvmZIBM9sFpwahcuR5hvyKUe37/c
/RSZXoNDi/eiNOx4qb0l9UB6bd8qvc4V1PnLE7L+ZYcmwrvTKm4x8qXMgEv1wca2
FPsreHNPdLiTUZ8v0tDTWi3Mgi7y47VTzJaTkcfmO1nL6xAtln5sLdH0PbMM3LAp
T1d3nwI3VdbhqqZ+6+OKEuC8gk5iH4lfrbr6C9bYS6vzIKrotHpZ3N2aIC3NMjJD
PMw/mfCuADfRNlHXgZW+0zyUkwGTMDea8qgsoAMWJGdeTIw8I1I3RhnbgLzdsNQl
b/1ZXx1uJRUCAwEAAaOCAQYwggECMB0GA1UdDgQWBBQe+xSjYTrlfraJARjMxscb
j36jvDCB0gYDVR0jBIHKMIHHgBQe+xSjYTrlfraJARjMxscbj36jvKGBo6SBoDCB
nTEfMB0GA1UEAxMWU3VwZXJ2aWxsYWluOiBUaGUgUm9vdDELMAkGA1UEBhMCVVMx
ETAPBgNVBAgTCE5ldyBZb3JrMQ8wDQYDVQQHEwZHb3RoYW0xIDAeBgNVBAoTF1N1
cGVydmlsbGFpbiBVbml2ZXJzaXR5MScwJQYJKoZIhvcNAQkBFhhwZW5ndWluQHN1
cGVydmlsbGFpbi5lZHWCCQDPjJRa9ErYejAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
DQEBBQUAA4IBAQC4SPBDGYAxfbXd8N5OvG0drM7a5hjXfcCZpiILlPSRpxp79yh7
I5vVWxBxUfolwbei7PTBVy7CE27SUbSICeqWjcDCfjNjiZk6mLS80rm/TdLrHSyM
+Ujlw9MGcBGaLI+sdziDUMtTQDpeAyQTaGVbh1mx5874Hlo1VXqGYNo0RwR+iLfs
x48VuO6GbWVyxtktkE2ypz1KLWiyI056YynydRvuBCBHeRqGUixPlH9CrmeSCP2S
sfbiKnMOGXjIYbvbsTAMdW2iqg6IWa/fgxhvZoAXChM9bkhisJQc0qD0J5TJQwgr
uEyb50RJ7DWmXctSC0b3eymZ2lSXxAWNOsNy
					&lt;</ds:X509Certificate&gt;X509Certificate>
				&lt;</ds:X509Data&gt;X509Data>
			&lt;</ds:KeyInfo&gt;KeyInfo>
		&lt;</shibmd:KeyAuthority&gt;KeyAuthority>
	&lt;/Extensions&gt;</Extensions>

The complete simple metadata file would look like:

Code Block
&lt;EntitiesDescriptor<EntitiesDescriptor
	 xmlns=&quot;"urn:oasis:names:tc:SAML:2.0:metadata&quot;"
	 xmlns:xsi=&quot;"http://www.w3.org/2001/XMLSchema-instance&quot;"
	 xmlns:ds=&quot;"http://www.w3.org/2000/09/xmldsig#&quot;"
	 xmlns:shibmd=&quot;"urn:mace:shibboleth:metadata:1.0&quot;"
	 xsi:schemaLocation=&quot;"urn:oasis:names:tc:SAML:2.0:metadata ../schemas/saml-schema-metadata-2.0.xsd
	 urn:mace:shibboleth:metadata:1.0 ../schemas/shibboleth-metadata-1.0.xsd
	 http://www.w3.org/2000/09/xmldsig# ../schemas/xmldsig-core-schema.xsd&quot;"
	 Name=&quot;"https://www.supervillain.edu/evil-federation/policy.html&quot;"
	 validUntil=&quot;"2010-01-01T00:00:00Z&quot;&gt;">

	&lt;<!-- This is the metadata for Evil Federation using PKI for trust. --&gt;>

	&lt;Extensions&gt;<Extensions>
		&lt;shibmd<shibmd:KeyAuthority xmlns:shibmd=&quot;"urn:mace:shibboleth:metadata:1.0&quot;" VerifyDepth=&quot;5&quot;&gt;"5">
			&lt;<!-- Supervillain CA --&gt;>
			&lt;ds<ds:KeyInfo xmlns:ds=&quot;"http://www.w3.org/2000/09/xmldsig#&quot;&gt;">
				&lt;ds:X509Data&gt;<ds:X509Data>
					&lt;ds:X509Certificate&gt;<ds:X509Certificate>
MIIExzCCA6+gAwIBAgIJAM+MlFr0Sth6MA0GCSqGSIb3DQEBBQUAMIGdMR8wHQYD
VQQDExZTdXBlcnZpbGxhaW46IFRoZSBSb290MQswCQYDVQQGEwJVUzERMA8GA1UE
CBMITmV3IFlvcmsxDzANBgNVBAcTBkdvdGhhbTEgMB4GA1UEChMXU3VwZXJ2aWxs
YWluIFVuaXZlcnNpdHkxJzAlBgkqhkiG9w0BCQEWGHBlbmd1aW5Ac3VwZXJ2aWxs
YWluLmVkdTAeFw0wNjA4MTcxOTU5NTNaFw0xMTA4MTYxOTU5NTNaMIGdMR8wHQYD
VQQDExZTdXBlcnZpbGxhaW46IFRoZSBSb290MQswCQYDVQQGEwJVUzERMA8GA1UE
CBMITmV3IFlvcmsxDzANBgNVBAcTBkdvdGhhbTEgMB4GA1UEChMXU3VwZXJ2aWxs
YWluIFVuaXZlcnNpdHkxJzAlBgkqhkiG9w0BCQEWGHBlbmd1aW5Ac3VwZXJ2aWxs
YWluLmVkdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL6uFqas4dK6
A2wTZL0viRQNJrPyFnFBDSZGib/2ijhgzed/vvmZIBM9sFpwahcuR5hvyKUe37/c
/RSZXoNDi/eiNOx4qb0l9UB6bd8qvc4V1PnLE7L+ZYcmwrvTKm4x8qXMgEv1wca2
FPsreHNPdLiTUZ8v0tDTWi3Mgi7y47VTzJaTkcfmO1nL6xAtln5sLdH0PbMM3LAp
T1d3nwI3VdbhqqZ+6+OKEuC8gk5iH4lfrbr6C9bYS6vzIKrotHpZ3N2aIC3NMjJD
PMw/mfCuADfRNlHXgZW+0zyUkwGTMDea8qgsoAMWJGdeTIw8I1I3RhnbgLzdsNQl
b/1ZXx1uJRUCAwEAAaOCAQYwggECMB0GA1UdDgQWBBQe+xSjYTrlfraJARjMxscb
j36jvDCB0gYDVR0jBIHKMIHHgBQe+xSjYTrlfraJARjMxscbj36jvKGBo6SBoDCB
nTEfMB0GA1UEAxMWU3VwZXJ2aWxsYWluOiBUaGUgUm9vdDELMAkGA1UEBhMCVVMx
ETAPBgNVBAgTCE5ldyBZb3JrMQ8wDQYDVQQHEwZHb3RoYW0xIDAeBgNVBAoTF1N1
cGVydmlsbGFpbiBVbml2ZXJzaXR5MScwJQYJKoZIhvcNAQkBFhhwZW5ndWluQHN1
cGVydmlsbGFpbi5lZHWCCQDPjJRa9ErYejAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
DQEBBQUAA4IBAQC4SPBDGYAxfbXd8N5OvG0drM7a5hjXfcCZpiILlPSRpxp79yh7
I5vVWxBxUfolwbei7PTBVy7CE27SUbSICeqWjcDCfjNjiZk6mLS80rm/TdLrHSyM
+Ujlw9MGcBGaLI+sdziDUMtTQDpeAyQTaGVbh1mx5874Hlo1VXqGYNo0RwR+iLfs
x48VuO6GbWVyxtktkE2ypz1KLWiyI056YynydRvuBCBHeRqGUixPlH9CrmeSCP2S
sfbiKnMOGXjIYbvbsTAMdW2iqg6IWa/fgxhvZoAXChM9bkhisJQc0qD0J5TJQwgr
uEyb50RJ7DWmXctSC0b3eymZ2lSXxAWNOsNy
					&lt;</ds:X509Certificate&gt;X509Certificate>
				&lt;</ds:X509Data&gt;X509Data>
			&lt;</ds:KeyInfo&gt;KeyInfo>
		&lt;</shibmd:KeyAuthority&gt;KeyAuthority>
	&lt;/Extensions&gt;</Extensions>

		&lt;<!-- The Supervillain IdP --&gt;>

	&lt;EntityDescriptor<EntityDescriptor entityID=&quot;"https://idp.example.org/shibboleth&quot;&gt;">
		&lt;IDPSSODescriptor<IDPSSODescriptor protocolSupportEnumeration=&quot;"urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0&quot;&gt;">
			&lt;Extensions&gt;<Extensions>
				&lt;<!-- It's authoritative for supervillain.edu. --&gt;>
				&lt;shibmd:Scope&gt;supervillain.edu&lt;<shibmd:Scope>supervillain.edu</shibmd:Scope&gt;Scope>
			&lt;/Extensions&gt;</Extensions>

			&lt;KeyDescriptor<KeyDescriptor use=&quot;signing&quot;&gt;"signing">
				&lt;ds<ds:KeyInfo xmlns:ds=&quot;"http://www.w3.org/2000/09/xmldsig#&quot;&gt;">
					&lt;ds:KeyName&gt;idp<ds:KeyName>idp.supervillain.edu&lt;edu</ds:KeyName&gt;KeyName>
				&lt;</ds:KeyInfo&gt;KeyInfo>
			&lt;/KeyDescriptor&gt;</KeyDescriptor>
			
			&lt;ArtifactResolutionService<ArtifactResolutionService index=&quot;1&quot;"1"
				Binding=&quot;"urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding&quot;"
				Location=&quot;"http://idp.example.org:8080/shibboleth-idp/Artifact&quot;/&gt;"/>

			&lt;NameIDFormat&gt;urn<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier&lt;/NameIDFormat&gt;nameIdentifier</NameIDFormat>

			&lt;SingleSignOnService<SingleSignOnService Binding=&quot;"urn:mace:shibboleth:1.0:profiles:AuthnRequest&quot;"
				 Location=&quot;"https://idp.example.org/shibboleth-idp/SSO&quot;/&gt;"/>

		&lt;/IDPSSODescriptor&gt;</IDPSSODescriptor>
		
		&lt;AttributeAuthorityDescriptor<AttributeAuthorityDescriptor protocolSupportEnumeration=&quot;"urn:oasis:names:tc:SAML:1.1:protocol&quot;&gt;">
			&lt;Extensions&gt;<Extensions>
				&lt;<!-- It's authoritative for supervillain.edu. --&gt;>
				&lt;shibmd:Scope&gt;supervillain.edu&lt;<shibmd:Scope>supervillain.edu</shibmd:Scope&gt;Scope>
			&lt;/Extensions&gt;</Extensions>

			&lt;KeyDescriptor<KeyDescriptor use=&quot;signing&quot;&gt;"signing">
				&lt;ds<ds:KeyInfo xmlns:ds=&quot;"http://www.w3.org/2000/09/xmldsig#&quot;&gt;">
					&lt;ds:KeyName&gt;idp<ds:KeyName>idp.supervillain.edu&lt;edu</ds:KeyName&gt;KeyName>
				&lt;</ds:KeyInfo&gt;KeyInfo>
			&lt;/KeyDescriptor&gt;</KeyDescriptor>
			
			&lt;AttributeService<AttributeService Binding=&quot;"urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding&quot;"
				 Location=&quot;"http://idp.example.org:8080/shibboleth-idp/AA&quot;/&gt;"/>

			&lt;NameIDFormat&gt;urn<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier&lt;/NameIDFormat&gt;nameIdentifier</NameIDFormat>
		&lt;/AttributeAuthorityDescriptor&gt;</AttributeAuthorityDescriptor>

		&lt;Organization&gt;<Organization>
			 &lt;OrganizationName<OrganizationName xml:lang=&quot;en&quot;&gt;The"en">The Exalted University of Supervillains&lt;/OrganizationName&gt;Supervillains</OrganizationName>
			 &lt;OrganizationDisplayName<OrganizationDisplayName xml:lang=&quot;en&quot;&gt;Supervillain University&lt;/OrganizationDisplayName&gt;"en">Supervillain University</OrganizationDisplayName>
			 &lt;OrganizationURL<OrganizationURL xml:lang=&quot;en&quot;&gt;http"en">http://www.supervillain.edu/&lt;/OrganizationURL&gt;</OrganizationURL>
		&lt;/Organization&gt;</Organization>
		&lt;ContactPerson<ContactPerson contactType=&quot;technical&quot;&gt;"technical">
			 &lt;SurName&gt;Norman Osborn&lt;/SurName&gt;<SurName>Norman Osborn</SurName>
			 &lt;EmailAddress&gt;greengoblin@supervillain.edu&lt;/EmailAddress&gt;<EmailAddress>greengoblin@supervillain.edu</EmailAddress>
		&lt;/ContactPerson&gt;</ContactPerson>

	&lt;/EntityDescriptor&gt;</EntityDescriptor>

		&lt;<!-- The main Supervillain web server --&gt;>

	&lt;EntityDescriptor<EntityDescriptor entityID=&quot;"https://www.supervillain.edu/shibboleth/evil-federation/sp&quot;&gt;">
	
		&lt;SPSSODescriptor<SPSSODescriptor protocolSupportEnumeration=&quot;"urn:oasis:names:tc:SAML:1.1:protocol&quot;&gt;">
			&lt;KeyDescriptor<KeyDescriptor use=&quot;signing&quot;&gt;"signing">
				&lt;ds<ds:KeyInfo xmlns:ds=&quot;"http://www.w3.org/2000/09/xmldsig#&quot;&gt;">
					&lt;ds:KeyName&gt;www<ds:KeyName>www.supervillain.edu&lt;edu</ds:KeyName&gt;KeyName>
				&lt;</ds:KeyInfo&gt;KeyInfo>
			&lt;/KeyDescriptor&gt;</KeyDescriptor>

			&lt;NameIDFormat&gt;urn<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier&lt;/NameIDFormat&gt;nameIdentifier</NameIDFormat>

			&lt;AssertionConsumerService<AssertionConsumerService index=&quot;1&quot;"1" isDefault=&quot;true&quot;"true"
				Binding=&quot;"urn:oasis:names:tc:SAML:1.0:profiles:browser-post&quot;"
				Location=&quot;"https://www.supervillain.edu/Shibboleth.sso/SAML/POST&quot;/&gt;"/>
			&lt;AssertionConsumerService<AssertionConsumerService index=&quot;2&quot;"2"
				Binding=&quot;"urn:oasis:names:tc:SAML:1.0:profiles:artifact-01&quot;"
				Location=&quot;"https://www.supervillain.edu/Shibboleth.sso/SAML/Artifact&quot;/&gt;"/>
		&lt;/SPSSODescriptor&gt;</SPSSODescriptor>

		&lt;Organization&gt;<Organization>
			 &lt;OrganizationName<OrganizationName xml:lang=&quot;en&quot;&gt;The"en">The Exalted University of Supervillains&lt;/OrganizationName&gt;Supervillains</OrganizationName>
			 &lt;OrganizationDisplayName<OrganizationDisplayName xml:lang=&quot;en&quot;&gt;Supervillain University&lt;/OrganizationDisplayName&gt;"en">Supervillain University</OrganizationDisplayName>
			 &lt;OrganizationURL<OrganizationURL xml:lang=&quot;en&quot;&gt;http"en">http://www.supervillain.edu/&lt;/OrganizationURL&gt;</OrganizationURL>
		&lt;/Organization&gt;</Organization>
		&lt;ContactPerson<ContactPerson contactType=&quot;technical&quot;&gt;"technical">
			 &lt;SurName&gt;Erik<SurName>Erik Magnus Lehnsherr&lt;/SurName&gt;Lehnsherr</SurName>
			 &lt;EmailAddress&gt;magneto@supervillain.edu&lt;/EmailAddress&gt;<EmailAddress>magneto@supervillain.edu</EmailAddress>
		&lt;/ContactPerson&gt;</ContactPerson>
		
	&lt;/EntityDescriptor&gt;

&lt;/EntitiesDescriptor&gt;

%COMMENT%

...

</EntityDescriptor>

</EntitiesDescriptor>