...
| Tip | ||
|---|---|---|
| ||
When first starting out, the IdP generates an initial metadata file during the installation process and copies it to metadata/idp-metadata.xml. It will contain the entityID and credentials generated by the installation process. You should modify it as needed if and when you make configuration changes. |
| Table of Contents |
|---|
General Structure
IdP metadata is contained within the <md:IDPSSODescriptor> and <md:AttributeAuthorityDescriptor> role elements. As with all roles, you MUST include the proper protocolSupportEnumeration value to reflect the protocol families the IdP supports, as descibed in the Metadata topic. Failure to do so will prevent the SP from recognizing the IdP properly.
...
| Tip | ||
|---|---|---|
| ||
The Shibboleth IdP software does not currently support this feature, though newer versions do include a partial implementation that happens to respond to standard messages on front-channel bindings and that can be advertised with such endpoints. |
Documenting Identifiers
An IdP can identify specific "formats" of SAML name identifiers that it supports by listing each supported Format URI inside a <md:NameIDFormat> element.
...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<md:EntityDescriptor entityID="https://idp.example.org/idp/shibboleth" validUntil="2010-01-01T00:00:00Z">
<md:IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
... base64-encoded certificate elided ...
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:ArtifactResolutionService Location="https://idp.example.org:8443/idp/profile/SAML1/SOAP/ArtifactResolution"
Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" index="1"/>
<md:ArtifactResolutionService Location="https://idp.example.org:8443/idp/profile/SAML2/SOAP/ArtifactResolution"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" index="2"/>
<md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:SingleSignOnService Location="https://idp.example.org/idp/profile/Shibboleth/SSO"
Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
<md:SingleSignOnService Location="https://idp.example.org/idp/profile/SAML2/POST/SSO"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:SingleSignOnService Location="https://idp.example.org/idp/profile/SAML2/POST-SimpleSign/SSO"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
<md:SingleSignOnService Location="https://idp.example.org/idp/profile/SAML2/Redirect/SSO"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
</md:IDPSSODescriptor>
<md:AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
... base64-encoded certificate elided ...
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:AttributeService Location="https://idp.example.org:8443/idp/profile/SAML1/SOAP/AttributeQuery"
Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"/>
<md:AttributeService Location="https://idp.example.org:8443/idp/profile/SAML2/SOAP/AttributeQuery"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
</md:AttributeAuthorityDescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en">Example Organization, Ltd.</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">Example Organization</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en">http://www.example.org/</md:OrganizationURL>
</md:Organization>
</md:EntityDescriptor>
|