Versions Compared

Old Version 4

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version Current

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info

You can the install the latest plugin version supported on your IdP version with .\plugin.sh -I net.shibboleth.idp.plugin.metadatagen

Plugin

Plugin ID

Module(s)

Latest Version

Bug Reporting

Metadatagen

net.shibboleth.idp.plugin.metadatagen

idp.plugin.MetadataGen.plugin

idp.plugin.MetadataGen.Templates.plugin

2.0.0: download

https://shibboleth.atlassian.net/browse/JMETAGEN

Include Page
PluginInstallation
PluginInstallation

...

Take care to wrap options containing whitespace in double quotes. The generator will automatically encode any XML-unsafe characters, so you should not pre-encode any of them.

Paremeter

Multiple?

Description

--file, --out

Output file to write to (stdout is used if not specified)

--batch-file, --batch

Path to a batch file of individual commands to execute (see section below)

--omit-namespaces

Prevents the generation of various XML namespace declarations in the root element, useful mainly for batches

--entityID, --client_id, --id

Populates the entityID attribute, generally required to produce meaningful output

--scope

Y

Populates <shibmd:Scope> element(s)

--sp

Generates an <md:SPSSODescriptor> role (this is the default)

--idp

Generates an <md:IDPSSODescriptor> role

--aa

Generates an <md:AttributeAuthorityDescriptor> role

--want-assertions-signed, -w

Toggles on the WantAssertionsSigned flag in SP metadata

--nameid-format, -f

Y

Populates <md:NameIDFormat> elements

--certificate, --cert, -c

Y

Path to certificate file(s) intended for dual use (both signing and encryption)

--signing, -x

Y

Path to certificate file(s) specific to signing only

--encryption, -e

Y

Path to certificate file(s) specific to encryption only

--sso

Y

Manually specifies <md:SingleSignOnService> endpoint(s) (see below)

--attribute-query, --query

Y

Manually specifies <md:AttributeService> endpoint(s) (see below)

--artifact

Y

Manually specifies <md:ArtifactResolutionService> endpoint(s) (see below)

--logout

Y

Manually specifies <md:SingleLogoutService> endpoint(s) (see below)

--acs

Y

Manually specifies <md:AssertionConsumerService> endpoint(s) (see below)

--layout-file, --layout

Path to a “layout template”, in effect a fragment of metadata containing an <md:EntityDescriptor> that specifies the endpoints to populate the output with (used in conjunction with the --hostname option)

--hostname, -h

Y

Specifies the hostname(s) to plug into the layout template specified with the --layout-file option

--lang

Language tag to use for any i18n-supporting elements

--display-name, -y

Generates an <mdui:DisplayName> extension element

--description, -d

Generates an <mdui:Description> extension element

--logo-url, --logo

Generates an <mdui:Logo> extension element (only external URI references supported)

--logo-width, --width

Sets Width attribute of <mdui:Logo> extension element

--logo-height, --height

Sets Height attribute of <mdui:Logo> extension element

--org-name, -o

Generates <md:OrganizationName> and <md:OrganizationDisplayName> elements

--org-url, -u

Generates <md:OrganizationURL> element

--contact-admin, -a

Y

Splits a string containing first/last/email on the forward slash character and generates a <md:ContactPerson> of the “administrative” type

--contact-support, -s

Y

Splits a string containing first/last/email on the forward slash character and generates a <md:ContactPerson> of the “support” type

--contact-tech, -t

Y

Splits a string containing first/last/email on the forward slash character and generates a <md:ContactPerson> of the “technical” type

--entity-attr, --tag

Y

An expression of the form “name=value”, which will generate a <saml:Attribute> in an <mdattr:EntityAttributes> extension (note that this tool assumes all tags will have URI names)

The full set of options can be viewed with the --help option.

...

Endpoint expressions are in the form <binding>/<location>. The location portion may contain a scheme, or if none, the “https://” scheme will be applied automatically. The binding portion must be one of the following values:

Token

Protocol and Binding

Redirect

SAML 2.0, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

POST

SAML 2.0, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

SimpleSign

SAML 2.0, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign

Artifact

SAML 2.0, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact

SOAP

SAML 2.0, urn:oasis:names:tc:SAML:2.0:bindings:SOAP

PAOS

SAML 2.0, urn:oasis:names:tc:SAML:2.0:bindings:PAOS

POST1

SAML 1.1, urn:oasis:names:tc:SAML:1.0:profiles:browser-post

Artifact1

SAML 1.1, urn:oasis:names:tc:SAML:1.0:profiles:artifact-01

SOAP1

SAML 1.1, urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding

CAS

CAS, https://www.apereo.org/cas/protocol/login

CAS (logout)

CAS, https://www.apereo.org/cas/protocol/logout (location portion ignored)

CASProxy

CAS, https://www.apereo.org/cas/protocol/proxy

OIDC

OIDC/OAuth, https://tools.ietf.org/html/rfc6749#section-3.1.2

Note that when endpoints require an index attribute, the generator will auto-generate those values by tracking them and incrementing the index. The indexes should not in general be used at runtime at thie point.

...