Versions Compared

Old Version 24

changes.mady.by.user Ian Young

Saved on

compared with

New Version 25

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
NameSAML 2.0 Metadata Extensions for Shibboleth
Version1.0
Status
under development
Stable

The Shibboleth 1.3 and 2.X Identity Provider and Service Provider products implement support for two SAML 2.0 metadata Metadata schema extensions, as described below.

Schema Extensions

The schema extensions are defined in the namespace urn:mace:shibboleth:metadata:1.0 by the following XML Schema document:

...

Relevant schema definition fragments are repeated in the descriptions of each extension below.

<shibmd:Scope>

Code Block
languagehtml/xml
collapsetrue
<element name="Scope">
    <annotation>
        <documentation>
            SAML metadata extension used to regulate allowable attribute scopes.
        </documentation>
    </annotation>
    <complexType>
        <simpleContent>
            <extension base="string">
                <attribute name="regexp" type="boolean" use="optional" default="false"/>
            </extension>
        </simpleContent>
    </complexType>
</element>

...

It is very common to use DNS domain names as scope values.  Because scopes in metadata are matched exactly against the scope component of attribute values in a case-sensitive manner, it is RECOMMENDED that deployers adhere to a convention of representing such scope values as lower case.

Support in Shibboleth Products

This extension corresponds to the <OriginSite>/<Domain> element in legacy Shibboleth metadata.

The Shibboleth 1V1.3 Service Provider processes this element when found in the <md:Extensions> element of an attribute-supplying role descriptor (<md:IDPSSODescriptor> or <md:AttributeAuthorityDescriptor>).

The Shibboleth 2.X V2 (and above) Service Provider also processes this element when found in the <md:Extensions> element of the <md:EntityDescriptor>, interpreting it as applying to all roles.

<shibmd:KeyAuthority>

Code Block
languagehtml/xml
collapsetrue
<element name="KeyAuthority">
    <annotation>
        <documentation>
            Binds keying authorities to the system entity/entities to which the enclosing
            metadata element applies.
        </documentation>
    </annotation>
    <complexType>
        <sequence>
            <element ref="ds:KeyInfo" maxOccurs="unbounded"/>
        </sequence>
        <attribute name="VerifyDepth" type="unsignedByte" use="optional" default="1"/>
        <anyAttribute namespace="##other" processContents="lax"/>
    </complexType>
</element>

...

The VerifyDepth attribute controls the maximum path length to allow, using the PKIX-specified definition of path length (which is basically i.e., one less than the actual length of the chain length?).