Versions Compared

Old Version 25

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version Current

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
NameSAML 2.0 Metadata Extensions for Shibboleth
Version1.0
StatusStable
IPRLicensed under Apache 2.0
(c) The Ohio State University

The Shibboleth Identity Provider and Service Provider products implement support for two SAML 2.0 Metadata schema extensions, as described below.

...

The schema extensions are defined in the namespace urn:mace:shibboleth:metadata:1.0 by the following XML Schema document:

Code Block
languagehtml/xmlxml
titleShibboleth Metadata Extension Schema
linenumberstrue
collapsetrue
<?xml version="1.0" encoding="US-ASCII"?>
<schema targetNamespace="urn:mace:shibboleth:metadata:1.0"
	xmlns="http://www.w3.org/2001/XMLSchema"
	xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
	elementFormDefault="unqualified"
	attributeFormDefault="unqualified"
	version="1.0">

	<import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd"/>

	<element name="Scope">
		<annotation>
			<documentation>
			SAML metadata extension used to regulate allowable attribute scopes.
			</documentation>
		</annotation>
		<complexType>
			<simpleContent>
				<extension base="string">
					<attribute name="regexp" type="boolean" use="optional" default="false"/>
				</extension>
			</simpleContent>
		</complexType>
	</element>

	<element name="KeyAuthority">
		<annotation>
			<documentation>
			Binds keying authorities to the system entity/entities to which the enclosing
			metadata element applies.
			</documentation>
		</annotation>
		<complexType>
			<sequence>
				<element ref="ds:KeyInfo" maxOccurs="unbounded"/>
			</sequence>
			<attribute name="VerifyDepth" type="unsignedByte" use="optional" default="1"/>
			<anyAttribute namespace="##other" processContents="lax"/>
		</complexType>
	</element>

</schema> 

...

<shibmd:Scope>

Code Block
languagexml
titleScope Extension Element
collapsetrue
<element name="Scope">
    <annotation>
        <documentation>
            SAML metadata extension used to regulate allowable attribute scopes.
        </documentation>
    </annotation>
    <complexType>
        <simpleContent>
            <extension base="string">
                <attribute name="regexp" type="boolean" use="optional" default="false"/>
            </extension>
        </simpleContent>
    </complexType>
</element>

...

The Shibboleth V1.3 Service Provider processes this element when found in the <md:Extensions> element of an attribute-supplying role descriptor (<md:IDPSSODescriptor> or <md:AttributeAuthorityDescriptor>).

The Shibboleth V2 (and above) Service Provider + SP and V4+ IdP also processes this element when found in the <md:Extensions> element of the <md:EntityDescriptor>, interpreting it as applying to all roles.

<shibmd:KeyAuthority>

Code Block
languagexml
titleKeyAuthority Extension Element
collapsetrue
<element name="KeyAuthority">
    <annotation>
        <documentation>
            Binds keying authorities to the system entity/entities to which the enclosing
            metadata element applies.
        </documentation>
    </annotation>
    <complexType>
        <sequence>
            <element ref="ds:KeyInfo" maxOccurs="unbounded"/>
        </sequence>
        <attribute name="VerifyDepth" type="unsignedByte" use="optional" default="1"/>
        <anyAttribute namespace="##other" processContents="lax"/>
    </complexType>
</element>

...