Versions Compared

Version Old Version 4 New Version Current
Changes made by

Scott Cantor

Simon Lundström

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: At least these two URLs are wrong, possibly more I can't verify

...

Info

You can the install the latest plugin version supported on your IdP version with .\plugin.sh -I net.shibboleth.idp.plugin.metadatagen

Plugin

Plugin ID

Module(s)

Latest Version

Bug Reporting

Metadatagen

net.shibboleth.idp.plugin.metadatagen

idp.plugin.MetadataGen.plugin

idp.plugin.MetadataGen.Templates.plugin

2.0.0: download

https://shibboleth.atlassian.net/browse/JMETAGEN

Include Page
PluginInstallation
PluginInstallation

...

Take care to wrap options containing whitespace in double quotes. The generator will automatically encode any XML-unsafe characters, so you should not pre-encode any of them.

Paremeter

Multiple?

Description

--file, --out

Output file to write to (stdout is used if not specified)

--batch-file, --batch

Path to a batch file of individual commands to execute (see section below)

--omit-namespaces

Prevents the generation of various XML namespace declarations in the root element, useful mainly for batches

--entityID, --client_id, --id

Populates the entityID attribute, generally required to produce meaningful output

--scope

Y

Populates <shibmd:Scope> element(s)

--sp

Generates an <md:SPSSODescriptor> role (this is the default)

--idp

Generates an <md:IDPSSODescriptor> role

--aa

Generates an <md:AttributeAuthorityDescriptor> role

--want-assertions-signed, -w

Toggles on the WantAssertionsSigned flag in SP metadata

--nameid-format, -f

Y

Populates <md:NameIDFormat> elements

--certificate, --cert, -c

Y

Path to certificate file(s) intended for dual use (both signing and encryption)

--signing, -x

Y

Path to certificate file(s) specific to signing only

--encryption, -e

Y

Path to certificate file(s) specific to encryption only

--sso

Y

Manually specifies <md:SingleSignOnService> endpoint(s) (see below)

--attribute-query, --query

Y

Manually specifies <md:AttributeService> endpoint(s) (see below)

--artifact

Y

Manually specifies <md:ArtifactResolutionService> endpoint(s) (see below)

--logout

Y

Manually specifies <md:SingleLogoutService> endpoint(s) (see below)

--acs

Y

Manually specifies <md:AssertionConsumerService> endpoint(s) (see below)

--layout-file, --layout

Path to a “layout template”, in effect a fragment of metadata containing an <md:EntityDescriptor> that specifies the endpoints to populate the output with (used in conjunction with the --hostname option)

--hostname, -h

Y

Specifies the hostname(s) to plug into the layout template specified with the --layout-file option

--lang

Language tag to use for any i18n-supporting elements

--display-name, -y

Generates an <mdui:DisplayName> extension element

--description, -d

Generates an <mdui:Description> extension element

--logo-url, --logo

Generates an <mdui:Logo> extension element (only external URI references supported)

--logo-width, --width

Sets Width attribute of <mdui:Logo> extension element

--logo-height, --height

Sets Height attribute of <mdui:Logo> extension element

--org-name, -o

Generates <md:OrganizationName> and <md:OrganizationDisplayName> elements

--org-url, -u

Generates <md:OrganizationURL> element

--contact-admin, -a

Y

Splits a string containing first/last/email on the forward slash character and generates a <md:ContactPerson> of the “administrative” type

--contact-support, -s

Y

Splits a string containing first/last/email on the forward slash character and generates a <md:ContactPerson> of the “support” type

--contact-tech, -t

Y

Splits a string containing first/last/email on the forward slash character and generates a <md:ContactPerson> of the “technical” type

--entity-attr, --tag

Y

An expression of the form “name=value”, which will generate a <saml:Attribute> in an <mdattr:EntityAttributes> extension (note that this tool assumes all tags will have URI names)

The full set of options can be viewed with the --help option.

...

Endpoint expressions are in the form <binding>/<location>. The location portion may contain a scheme, or if none, the “https://” scheme will be applied automatically. The binding portion must be one of the following values:

Token

Protocol and Binding

Redirect

SAML 2.0, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

POST

SAML 2.0, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

SimpleSign

SAML 2.0, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign

Artifact

SAML 2.0, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact

SOAP

SAML 2.0, urn:oasis:names:tc:SAML:2.0:bindings:SOAP

PAOS

SAML 2.0, urn:oasis:names:tc:SAML:2.0:bindings:PAOS

POST1

SAML 1.1, urn:oasis:names:tc:SAML:1.0:profiles:browser-post

Artifact1

SAML 1.1, urn:oasis:names:tc:SAML:1.0:profiles:artifact-01

SOAP1

SAML 1.1, urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding

CAS

CAS, https://www.apereo.org/cas/protocol/login

CAS (logout)

CAS, https://www.apereo.org/cas/protocol/logout (location portion ignored)

CASProxy

CAS, https://www.apereo.org/cas/protocol/proxy

OIDC

OIDC/OAuth, https://tools.ietf.org/html/rfc6749#section-3.1.2

Note that when endpoints require an index attribute, the generator will auto-generate those values by tracking them and incrementing the index. The indexes should not in general be used at runtime at thie point.

...

Code Block
languagebash
$ metadatagen.sh --lang US-en \
  --logo https://idp.example.org/logo.png \
  --logo-width 128 \
  -o "Example & Org" \
  -u "https://example.org?foo=bar&foo=baz" \
  -a /Bono/ \
  -t John/Doe/mailto\:doe@example.org \
  --contact-support "Help & Desk//support@example.org" \
  --sp -w \
  --nameid-format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress \
  --idp \
  --aa \
  --entityID https://sp.example.org \
  --scope example.org \
  --cert /Users/example/Desktop/webauth.crt \
  --sso Redirect1/idp.example.org/idp/profile/SAML/SSO/Redirect \
  --sso Redirect/idp.example.org/idp/profile/SAML2/Redirect/SSO/Redirect \
  --sso POST/idp.example.org/idp/profile/SAML2/POST/SSO/POST \
  --sso SOAP/idp.example.org/idp/profile/SAML2/SSO/SOAP \
  --query SOAP/idp.example.org:8443/idp/profile/SAML2/AttributeQuery/SOAP \
  --query SOAP1/idp.example.org:8443/idp/profile/SAML/AttributeQuery/SOAP \
  --logout Redirect/sp.example.org/Shibboleth.sso/SLO/Redirect \
  --logout Artifact/sp.example.org/Shibboleth.sso/SLO/Artifact \
  --acs POST1/sp.example.org/Shibboleth.sso/SAML/POST \
  --acs POST/sp.example.org/Shibboleth.sso/SAML2/POST \
  --acs POST/sp2.example.org/Shibboleth.sso/SAML2/POST \
  --acs PAOS/sp.example.org/Shibboleth.sso/SAML2/ECP \
  --tag urn:oasis:names:tc:SAML:profiles:subject-id:req=subject-id

...

Code Block
languagejava
--lang US-en
--logo https://idp.example.org/logo.png
--logo-width 128
-o Example\ &\ Org
-u https://example.org?foo=bar&foo=baz
-a /Bono/
-t John/Doe/mailto:doe@example.org
--contact-support Help\ &\ Desk//support@example.org
--sp -w
--idp
--aa
--entityID https://sp.example.org
--scope example.org
--nameid-format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
--cert /Users/scantor/Desktop/webauth2.crt
--sso Redirect1/idp.example.org/idp/profile/SAML/SSO/Redirect
--sso Redirect/idp.example.org/idp/profile/SAML2/Redirect/SSO/Redirect
--sso POST/idp.example.org/idp/profile/SAML2/POST/SSO/POST
--sso SOAP/idp.example.org/idp/profile/SAML2/SSO/SOAP
--query SOAP/idp.example.org:8443/idp/profile/SAML2/AttributeQuery/SOAP
--query SOAP1/idp.example.org:8443/idp/profile/SAML/AttributeQuery/SOAP
--logout Redirect/sp.example.org/Shibboleth.sso/SLO/Redirect
--logout Artifact/sp.example.org/Shibboleth.sso/SLO/Artifact
--acs POST1/sp.example.org/Shibboleth.sso/SAML/POST
--acs POST/sp.example.org/Shibboleth.sso/SAML2/POST
--acs POST/sp2.example.org/Shibboleth.sso/SAML2/POST
--acs PAOS/sp.example.org/Shibboleth.sso/SAML2/ECP
--tag urn:oasis:names:tc:SAML:profiles:subject-id:req=subject-id
.

...