Name | SAML 2.0 Metadata Extensions for Shibboleth |
Version | 1.0 |
Status | Stable |
IPR | Licensed under Apache 2.0 (c) The Ohio State University |
The Shibboleth Identity Provider and Service Provider products implement support for two SAML 2.0 Metadata schema extensions, as described below.
...
The schema extensions are defined in the namespace urn:mace:shibboleth:metadata:1.0
by the following XML Schema document:
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
<?xml version="1.0" encoding="US-ASCII"?> <schema targetNamespace="urn:mace:shibboleth:metadata:1.0" xmlns="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" elementFormDefault="unqualified" attributeFormDefault="unqualified" version="1.0"> <import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="xmldsig-core-schema.xsd"/> <element name="Scope"> <annotation> <documentation> SAML metadata extension used to regulate allowable attribute scopes. </documentation> </annotation> <complexType> <simpleContent> <extension base="string"> <attribute name="regexp" type="boolean" use="optional" default="false"/> </extension> </simpleContent> </complexType> </element> <element name="KeyAuthority"> <annotation> <documentation> Binds keying authorities to the system entity/entities to which the enclosing metadata element applies. </documentation> </annotation> <complexType> <sequence> <element ref="ds:KeyInfo" maxOccurs="unbounded"/> </sequence> <attribute name="VerifyDepth" type="unsignedByte" use="optional" default="1"/> <anyAttribute namespace="##other" processContents="lax"/> </complexType> </element> </schema> |
...
<shibmd:Scope>
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<element name="Scope"> <annotation> <documentation> SAML metadata extension used to regulate allowable attribute scopes. </documentation> </annotation> <complexType> <simpleContent> <extension base="string"> <attribute name="regexp" type="boolean" use="optional" default="false"/> </extension> </simpleContent> </complexType> </element> |
...
The Shibboleth V1.3 Service Provider processes this element when found in the <md:Extensions>
element of an attribute-supplying role descriptor (<md:IDPSSODescriptor>
or <md:AttributeAuthorityDescriptor>
).
The Shibboleth V2 (and above) Service Provider + SP and V4+ IdP also processes this element when found in the <md:Extensions>
element of the <md:EntityDescriptor>
, interpreting it as applying to all roles.
<shibmd:KeyAuthority>
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<element name="KeyAuthority"> <annotation> <documentation> Binds keying authorities to the system entity/entities to which the enclosing metadata element applies. </documentation> </annotation> <complexType> <sequence> <element ref="ds:KeyInfo" maxOccurs="unbounded"/> </sequence> <attribute name="VerifyDepth" type="unsignedByte" use="optional" default="1"/> <anyAttribute namespace="##other" processContents="lax"/> </complexType> </element> |
...