Versions Compared

Old Version 5

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 6

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

These examples are written to reflect the typical default configuration of a Shibboleth IdP, but obviously specifics can vary. Note that it's very important that what you support match what you advertise. For example, if you don't support single logout, artifact resolution (perhaps because of IdPStatelessClustering), then don't advertise it.

Code Block
xml
xml
titleComplete Example Supporting SAML 2.0 and the Shibboleth profile of SAML 1.1
<md:EntityDescriptor entityID="https://idp.example.org/idp/shibboleth" validUntil="2010-01-01T00:00:00Z">

  <md:IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">

    <md:KeyDescriptor>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>
           ... base64-encoded certificate elided ...
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>

    <md:ArtifactResolutionService Location="https://idp.example.org:8443/idp/profile/SAML1/SOAP/ArtifactResolution"
      Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" index="1"/>
    <md:ArtifactResolutionService Location="https://idp.example.org:8443/idp/profile/SAML2/SOAP/ArtifactResolution"
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" index="2"/>

    <md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>

    <md:SingleSignOnService Location="https://idp.example.org/idp/profile/Shibboleth/SSO"
      Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"/>
    <md:SingleSignOnService Location="https://idp.example.org/idp/profile/SAML2/POST/SSO"
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
    <md:SingleSignOnService Location="https://idp.example.org/idp/profile/SAML2/POST-SimpleSign/SSO"
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
    <md:SingleSignOnService Location="https://idp.example.org/idp/profile/SAML2/Redirect/SSO"
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
    <md:SingleSignOnService Location="https://idp.example.org/idp/profile/SAML2/SOAP/ECP"
      < Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
 </md:IDPSSODescriptor>

  <md:AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">

    <md:KeyDescriptor>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>
           ... base64-encoded certificate elided ...
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>

    <md:AttributeService Location="https://idp.example.org:8443/idp/profile/SAML1/SOAP/AttributeQuery"
      Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"/>
    <md:AttributeService Location="https://idp.example.org:8443/idp/profile/SAML2/SOAP/AttributeQuery"
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>

    <md:NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>

  </md:AttributeAuthorityDescriptor>

  <md:Organization>
    <md:OrganizationName xml:lang="en">Example Organization, Ltd.</md:OrganizationName>
    <md:OrganizationDisplayName xml:lang="en">Example Organization</md:OrganizationDisplayName>
    <md:OrganizationURL xml:lang="en">http://www.example.org/</md:OrganizationURL>
  </md:Organization>

</md:EntityDescriptor>