The MetadataGen plugin provides a command line to generate metadata based on a very shallow introspection of the IdP configuration properties.

Metadata generation can never be an automatic process. Metadata is a description of how you want your IdP to be viewed by others.  This is significantly more than anything which can be created automatically.   Nonetheless, much of the metadata is formulaic since things such as endpoints are usually standardized.  The metadatagen command provides assistance in generating much of the standardized boilerplate.

The metadatagen command provides an basis for generator the metadata for your IdP. It does extremely limited introspection into the configuration and outputs metadata for the standard end points. This saves time and reduces the risk of cut and paste errors being introduced into your metadata.

This tools does not output "ready to use" metadata and is a preliminary, NOT an alternative, to editing your metadata prior to publishing it.

Plugin Installation

Starting with IdP 4.2 you can the install the latest plugin version supported on your IdP version with
.\ -I net.shibboleth.idp.plugin.metadatagen


Plugin ID


Latest Version

Bug Reporting


Plugin ID


Latest Version

Bug Reporting




1.0.0: download


The generated metadata is based on an idea of the IdP's configuration sourced from two locations:  configuration property files and the command line.  Importantly, this tool does not consider anything about the relying party configuration.

The property files provide the following information:

  • The entityID (from idp.entityID )

  • The scope (from idp.scope)

  • The encryption certificate (from idp.encryption.cert)

  • The signing certificate used for attribute push (from idp.signing.cert)

The command line is usually used to provide information to do with the web container (i.e. Jetty or Tomcat) configuration:

  • --DNSName specifies the DNS name (with a default of

  • If present, --backChannel <file>  provides the signing certificate use for back channel tasks.

An additional property file can be used to specify the DNS name an backchannel path, additionally properties can be used to drive MDUI generation.  This is described further below.

Command line options

With no command line options the tool prints to the screen the Metadata for a SAML2 IdP configured for attribute push only.  Further options control adding or removing parts of the metadata





--DNSName name

Supplies the DNS name used within the URLs specifying the end points

--output <file>, -o <file>

Outputs the metadata to a file

--backChannel <file>

Specifies the path to the certificate protecting the back channel.
This is required to emit any SOAP end points (artifact, logout and attribute fetch).

+SAML1, +1

Include metadata for a SAML1 IdP.  SAML1 attribute fetch endpoints will be included, regardless of whether +attributeFetch is specified

-SAML2, -2

Supress the metadata for a SAML2 IdP


Include metadata for a SAML2 SP (for use in proxying)


Include SAML2 logout endpoints. 
If the --backChannel  option is present the SOAP endpoint is also included


Include the artifact resolution endpoints (requires --backChannel)


Include the SAML2 attribute fetch endpoints (requires --backChannel)

--propertyFiles <file>,<file>...

Additional property files.

The full set of options can be viewed with the --help option.

Advanced use and Property-driven installation

The parts of the metadata drawn from the IdP configuration are derived from the IdP configuration property files. Additional properties can be provided (via the --propertyFiles  qualifier) to describe more about the IdP

Remember that if idp.searchForProperties is set to true all property files under idp/conf will be loaded.






Supplies the DNS name used within the URLs specifying the end points. 
This should not be used in conjunction with the --DNSName  qualifier .


Specifies the path to the certificate protecting the back channel.
This should not be used in conjunction with the --backChannel qualifier.


Specifies the path part of the URL which describes a logo for the IdP. 
The protocol is hard wired to be https://  and the DNS name is used for the host.

The <mdui:Logo> is always  emitted.  If this is absent then then a fixed path ('/path/to/logo') is used.


The height (in pixels) of the logo.  Defaults to 80.


The width (in pixels) of the logo.  Defaults to 80.


A (space separated) list of languages used to lookup values formed appending each one to the name and description properties described below.

If this is absent then an <mdui:DisplayName/> and <mdui:Description> for the "en" language is emitted which you need to edit.


Display name for the IdP in the specified language.

If this is absent for a language specified above then not <mdui:DisplayName> is emitted for that language


Description for the IdP in the specified language.

If this is absent for a language specified above then not <mdui:Description> is emitted for that language


Example Command Line
metadatagen +saml1 +sp --backChannel /opt/idp/credentials/idp-backchannel.crt --output myMetadata.xml


Example Property File idp.metadata.backchannel.cert=/opt/idp/credentials/idp-backchannel.crt idp.metadata.idpsso.mdui.langs=en fr deé de Shibboleth idp.metadata.idpsso.mdui.displayname.en=Shibboleth Universityät Shibboleth idp.metadata.idpsso.mdui.description.en=UShib idp.metadata.idpsso.mdui.logo.height=84 idp.metadata.idpsso.mdui.logo.width=75 idp.metadata.idpsso.mdui.logo.path=/the/to/path/logo.png