Name | SAML 2.0 Metadata Extensions for Shibboleth |
Version | 1.0 |
Status |
Stable |
The Shibboleth 1.3 and 2.X Identity Provider and Service Provider products implement support for two SAML 2.0 metadata Metadata schema extensions, as described below.
Schema Extensions
The schema extensions are defined in the namespace urn:mace:shibboleth:metadata:1.0
by the following XML Schema document:
...
Relevant schema definition fragments are repeated in the descriptions of each extension below.
<shibmd:Scope>
Code Block | ||||
---|---|---|---|---|
| ||||
<element name="Scope"> <annotation> <documentation> SAML metadata extension used to regulate allowable attribute scopes. </documentation> </annotation> <complexType> <simpleContent> <extension base="string"> <attribute name="regexp" type="boolean" use="optional" default="false"/> </extension> </simpleContent> </complexType> </element> |
...
It is very common to use DNS domain names as scope values. Because scopes in metadata are matched exactly against the scope component of attribute values in a case-sensitive manner, it is RECOMMENDED that deployers adhere to a convention of representing such scope values as lower case.
Support in Shibboleth Products
This extension corresponds to the <OriginSite>
/<Domain>
element in legacy Shibboleth metadata.
The Shibboleth 1V1.3 Service Provider processes this element when found in the <md:Extensions>
element of an attribute-supplying role descriptor (<md:IDPSSODescriptor>
or <md:AttributeAuthorityDescriptor>
).
The Shibboleth 2.X V2 (and above) Service Provider also processes this element when found in the <md:Extensions>
element of the <md:EntityDescriptor>
, interpreting it as applying to all roles.
<shibmd:KeyAuthority>
Code Block | ||||
---|---|---|---|---|
| ||||
<element name="KeyAuthority"> <annotation> <documentation> Binds keying authorities to the system entity/entities to which the enclosing metadata element applies. </documentation> </annotation> <complexType> <sequence> <element ref="ds:KeyInfo" maxOccurs="unbounded"/> </sequence> <attribute name="VerifyDepth" type="unsignedByte" use="optional" default="1"/> <anyAttribute namespace="##other" processContents="lax"/> </complexType> </element> |
...
The VerifyDepth
attribute controls the maximum path length to allow, using the PKIX-specified definition of path length (which is basically i.e., one less than the actual length of the chain length?).