Versions Compared

Old Version 22

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version Current

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

An "entity" is just a server that's running SAML software to perform some task, such as an IdP or an SP. Each entity has a unique name, an entityID, that distinguishes it from any other. You are responsible for choosing an appropriate URL to use as an entityID, and both your configuration and the metadata you publish will contain that value. If they don't match, many problems will result.

...

For details and examples at this level of detail, please refer to the MetadataForIdP and MetadataForSP topics.

One extremely important piece of information common to all role elements is the protocolSupportEnumeration XML attribute, which MUST be present. This attribute contains a space-delimited collection of URIs that represent general classes of protocol support for the role in question. There are URIs defined by the various standards and profiles to represent the fact that an entity acting in a role "supports" a particular protocol family, such as SAML 2.0 or the Shibboleth profile of SAML 1.1.

...

A summary of the values typically encountered follows:

Protocol Family

URI to Include in protocolSupportEnumeration

Roles?

SAML 2.0

urn:oasis:names:tc:SAML:2.0:protocol

IdP, AA, SP

SAML 1.1

urn:oasis:names:tc:SAML:1.1:protocol

IdP, AA, SP

SAML 1.0

urn:oasis:names:tc:SAML:1.0:protocol

IdP, AA, SP

Shib 1.x SSO Request

urn:mace:shibboleth:1.0

Shib IdP

WS-Federation

http://schemas.xmlsoap.org/ws/2003/07/secext

Shib IdP, Shib SP

Code Block
xmlxmltitleIncomplete Example of IdP Supporting SAML 2.0 and Shib/, SAML 1.1, and the Shibboleth Request Protocol for SAML 1.1x
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://webauth.example.org/idp/shibboleth">

  <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
  ... role content not shown ...
  </md:IDPSSODescriptor>

</md:EntityDescriptor>
xml
Code Block
xml
titleIncomplete Example of SP Supporting SAML 2.0 and Shib/ SAML 1.1
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://service.example.org/shibboleth">

  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
  ... role content not shown ...
  </md:SPSSODescriptor>

</md:EntityDescriptor>

...

For testing purposes, you will rarely if ever need to supply these elements, but they may be needed for production use. Organization metadata in particular often gets used by other software systems that consume metadata in order to present lists of entities with human-readable names. Examples of such systems include IdPDiscovery services or software to assist users in granting consent for login and release of attributes to SPs.

...

Broadly speaking the Shibboleth IdP and SP support roughly similar mechanisms for acquiring metadata, though the details vary. You can see the technical specifics in the IdPMetadataProvider (V2) / MetadataConfiguration (V3) and NativeSPMetadataProvider topics, but in general, there are three approaches one tends to see:

...