OAuthRPMetadataProfile
Overview
This is a profile defining the expression of OIDC and OAuth client capabilities and characteristics in SAML 2.0 Metadata, which is the native and preferred metadata format supported by the Shibboleth IdP software.
The XML namespace for the additional content used in this profile is urn:mace:shibboleth:metadata:oidc:1.0
, the schema for which can be found at http://shibboleth.net/schema/oidc/saml-metadata-ext-oidcmd.xsd
In comparison to the existing (JSON) format, all the same configuration options are available. See the table at the end for mappings between the JSON claims and the SAML metadata.
An entity advertises support for the OIDC protocol via an <md:SPSSODescriptor>
that has the following characteristics:
MUST include
http://openid.net/specs/openid-connect-core-1_0.html
in theprotocolSupportEnumeration
attributeContains one or more
<md:AssertionConsumerService>
elements that MUST have the following XML attributes:Binding
attribute with a value ofhttps://tools.ietf.org/html/rfc6749#section-3.1.2
Location
attribute with a URL of a single redirection endpoint
When needed, the trusted public keys and client secrets are configured via <md:KeyDescriptor>
elements. In addition to the existing public key <ds:KeyInfo>
children (<ds:X509Data>
and <ds:KeyValue>
), JSON Web Key sets are supported statically or via reference URI, using <oidcmd:JwksData>
and <oidcmd:JwksUri>
elements (see the table in the end of this page).
A <oidcmd:JwksData>
element contains a base64-encoded JSON structure containing the set.
Client secrets can be configured statically in plaintext or via reference, using the <oidcmd:ClientSecret>
and <oidcmd:ClientSecretKeyReference>
elements.
Examples
An example representing an OIDC RP with client secret value in the metadata:
OIDC metadata entry with client secret value
<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:oidcmd="urn:mace:shibboleth:metadata:oidc:1.0"
entityID="mockSamlClientId">
<md:SPSSODescriptor protocolSupportEnumeration="http://openid.net/specs/openid-connect-core-1_0.html">
<md:Extensions>
<oidcmd:OAuthRPExtensions
grant_types="authorization_code"
response_types="code"
token_endpoint_auth_method="client_secret_basic"
scopes="openid profile" />
</md:Extensions>
<md:KeyDescriptor>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<oidcmd:ClientSecret>mockClientSecretValue</oidcmd:ClientSecret>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:mace:shibboleth:metadata:oidc:1.0:nameid-format:public</md:NameIDFormat>
<md:AssertionConsumerService
Binding="https://tools.ietf.org/html/rfc6749#section-3.1.2"
Location="https://example.org/cb"
index="1"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
An example representing an OIDC RP with client secret value reference. The reference key (mockClientSecretKey
) is exploited by client secret value resolvers, which are out of scope of this profile.
OIDC metadata entry with client secret key reference
<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:oidcmd="urn:mace:shibboleth:metadata:oidc:1.0"
entityID="mockSamlClientId">
<md:SPSSODescriptor protocolSupportEnumeration="http://openid.net/specs/openid-connect-core-1_0.html">
<md:Extensions>
<oidcmd:OAuthRPExtensions
grant_types="authorization_code"
response_types="code"
token_endpoint_auth_method="client_secret_basic"
scopes="openid profile" />
</md:Extensions>
<md:KeyDescriptor>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<oidcmd:ClientSecretKeyReference>mockClientSecretKey</oidcmd:ClientSecretKeyReference>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:mace:shibboleth:metadata:oidc:1.0:nameid-format:pairwise</md:NameIDFormat>
<md:AssertionConsumerService
Binding="https://tools.ietf.org/html/rfc6749#section-3.1.2"
Location="https://example.com/callback"
index="1"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
An example representing an OIDC RP with multiple public keys configured in the metadata. They're all taken into account and transformed into a JSON Web Key set, with ds:KeyName being used as a key identifier (kid).
OIDC metadata entry with multiple public keys
<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:oidcmd="urn:mace:shibboleth:metadata:oidc:1.0"
entityID="mockSamlClientId">
<md:SPSSODescriptor protocolSupportEnumeration="http://openid.net/specs/openid-connect-core-1_0.html">
<md:Extensions>
<oidcmd:OAuthRPExtensions
grant_types="authorization_code"
response_types="code"
token_endpoint_auth_method="private_key_jwt"
scopes="openid profile" />
</md:Extensions>
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>mockX509RSA</ds:KeyName>
<ds:X509Data>
<ds:X509Certificate>
MIIEQDCCAqigAwIBAgIVAIarXvdvyS47KJR7U40FlTufyD8vMA0GCSqGSIb3DQEB
CwUAMCAxHjAcBgNVBAMMFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjAeFw0xOTA2MTcx
MTI5MTJaFw0zOTA2MTcxMTI5MTJaMCAxHjAcBgNVBAMMFWxvY2FsaG9zdC5sb2Nh
bGRvbWFpbjCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALXysGFnoBFh
oasd5uMecp9OTBjvztntPUVmHfm4R3AcItEMEZEN/pETcX/wgKdo4qCBq4PrZITa
T8Salgl0XL6qF1Wia3JNA7Hh/OaoQEUsbsHgsjLMKt6MJh8vIaE1o8loL7Ay4WmZ
Cr3wc8ZS6CpMsv+qbxkyfl1h7MTydETnQhg/X83bj+BjJSh7QeFU0d0SWK1dN2/D
nFoGOfuTfVqeDRIwMxKlR5G//8N202sLaG28NljaHhLn3jHXeiGpCQ+Q2X90dkFb
EKb6sQ6SlDUAzm9MwLYjglDyOhXpUqOnvD67nggLb4Gn/4k+g5wtdfr7unOJYcHK
w7JGnI8Gd0lJMd6B3SpkhUOWgKv/D6HIBArhqSEmXuTyy8FewyYuo1XkIw/Lu3bB
9qoBojM1tygoGlKi7R7e719J+DSkhyGbMyQ59leoN97iGGgqjUWS5mew8zSNviyz
4uGqvxmLWU9UTH1YhlARsBF1bMiMnwLz7dF74AaAkC4pN3BYzDMyHQIDAQABo3Ew
bzAdBgNVHQ4EFgQUwKUd9D1Qymu2oBEVTscrAhP+sIUwTgYDVR0RBEcwRYIVbG9j
YWxob3N0LmxvY2FsZG9tYWluhixodHRwczovL2xvY2FsaG9zdC5sb2NhbGRvbWFp
bi9pZHAvc2hpYmJvbGV0aDANBgkqhkiG9w0BAQsFAAOCAYEAEYqh54a+j5OuR1UB
/AT9k2xXVwHiqQXAC/2un8O5BWAOeOq9+0gLJO5yaJp5c9GjPXRJmnDfGP9HFF6R
CjngtRCm1gV/fpj97IRQS5oroaeTWPQ9ZD5+ogs5DNt6UZeJ2GqpfA5mOytNg3cM
OP1B5QnA1apOaG4FHTegJR7WOIXkkAjEJUy6R+5Q6At7DdK/SRrP5onVPFv2HgGF
E9v9iX/uQepDizS5F2oi6LZCl1/b38gxA8BFL7VZu53JQguaA7SrnP+dBOErT/yh
Qcx3e9wE2ms8H1qISIdl3e7gvLi5jEyDWC9Agde6EjjvVVJAF7jR0puQ39mBfoxP
moVdHJQmCt3V7Ew9tYZUpG3rjp4YNXOiM+QhtwhHWT94q9uJKUQ6JvbxgLNDs5KM
3PENx2C60TPFne9nRRIMVDavU4wwY7GdCgeo8PiZ5zxI0ZCkxh38ODePtKQrxJ7i
E0J1BE2LIxa1T7KY0XKpsH0iI2dNfZfNpNp4v/HiDb4svYgq</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>mockX509EC</ds:KeyName>
<ds:X509Data>
<ds:X509Certificate>
MIIBKDCBzgIJAOYlspXlaqguMAoGCCqGSM49BAMCMBwxCzAJBgNVBAYTAkZJMQ0w
CwYDVQQDDAR0ZXN0MB4XDTE5MTEwMTA4Mjg0OVoXDTIwMTAzMTA4Mjg0OVowHDEL
MAkGA1UEBhMCRkkxDTALBgNVBAMMBHRlc3QwWTATBgcqhkjOPQIBBggqhkjOPQMB
BwNCAARCUOlFMtRj3MIbdCzXmoGz4giDwjzPoX4AxMehhlXmPOodQhLDdvDqx3KE
hqadzIIsKHRQPDycscpHWpPbaQ2VMAoGCCqGSM49BAMCA0kAMEYCIQCVykSuUjlX
j4lxI6YqgYVuuhL2rG4hIrXw/pCey7eF2gIhAOSSaS025lQWy09W4NlnO28OkHoI
+Hbap7+DQlhbbr2d</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>mockRSA</ds:KeyName>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
AMP1p7GwPH64UPvBKD4DK0I6SDY7dtFPzL7L5qAIEJwIBBeDmLfVY/f9mLzDuDb19XzQxc6GEcjj
K8qRe7JAD3CE1IXXD0hKSOJ7H+chWS84iv7UNukbHHBO1oaRgfHh7vbX7HnpYMoqKK75rfiQqD9e
XOa2FLiH1QvnhLGKJcN+OKujetTgAhxE7ski9Gtfhhbt1qCEl7XtaUCLLexyrwWxx+NRxFgMU+nt
IZQ+T8ii+JQSWnRh14PGc+K9o1dp+vjse62hFprVQhhcbAKAkWpbup77NvvuTZ2+AtUhOuNHrH2I
X3jHeSWH7EzTGkPLGS6bFnYJQBqWv0POytfSyMM=</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>mockJwkId</ds:KeyName>
<oidcmd:JwksData>
ewogICJrdHkiOiAiUlNBIiwKICAiZSI6ICJBUUFCIiwKICAia2lkIjogIm1vY2siLAogICJhbGci
OiAiUlMyNTYiLAogICJuIjogInBKcHRScnpyRlhEUnBaWkdpRmc1eW9KeVRPMlphUENSNEcwbjEx
aUVSclBTdlVYX202Qmdvak5qVEZISk1pa19pbGhtVzY0Q3JLdGlMdklRTFF6VWV5RXdDZHdYZVB3
UVpNeEV4VDJPV2thQy1DV0ZJNHR4X2VFWGRkUGtja1NMRERhMEVQd3dzWktQUFhoRTNWNTBfZ3pW
VDJZQVRvRE9fMmoyeGpWcHFzU0dFc0xpYjZqLW52dFpVVV9CMHNHeUppR1ZzMkpUTmhCTVNrT2tR
Zks2NkNCcW1sbzBuUE5NYVIxbWl2dG5JUG1aNnJKVHcwUDVZZ0dFS1hmZjBsa25Ib25ZVmRsVktw
c0Q4VW5hY0JzdFlyeUhsM0NQR2Uyc3RmR2ExZ3N6NEdIVGVfRnlWVk04UlNoQ2dYVVo3MTdoenpf
ekdQaVhDQkw0ZktEek5ZUXpIUSIKfQo=</oidcmd:JwksData>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:mace:shibboleth:metadata:oidc:1.0:nameid-format:public</md:NameIDFormat>
<md:AssertionConsumerService
Binding="https://tools.ietf.org/html/rfc6749#section-3.1.2"
Location="https://example.org/cb"
index="1"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
Mappings between the JSON claims and SAML metadata elements
The definitions for the JSON claims can be found from the following specifications:
OAuth 2.0 Dynamic Client Registration protocol: https://tools.ietf.org/html/rfc7591
OIDC Dynamic Client Registration: https://openid.net/specs/openid-connect-registration-1_0.html
OIDC session management spec: https://openid.net/specs/openid-connect-session-1_0.html
OIDC federation spec (draft): https://openid.net/specs/openid-connect-federation-1_0.html
OIDC Front-Channel logout 1.0 spec: https://openid.net/specs/openid-connect-frontchannel-1_0.html
OIDC Back-Channel logout 1.0 spec: https://openid.net/specs/openid-connect-backchannel-1_0.html
XML namespaces:
default (no prefix):
urn:oasis:names:tc:SAML:2.0:metadata
saml:
urn:oasis:names:tc:SAML:2.0:assertion
mdui:
urn:oasis:names:tc:SAML:metadata:ui
ds:
http://www.w3.org/2000/09/xmldsig#
oidcmd:
urn:mace:shibboleth:metadata:oidc:1.0
JSON claim | SAML metadata location | Notes |
---|---|---|
client_id | EntityDescriptor/@entityID | |
client_secret | EntityDescriptor/SPSSODescriptor/ds:KeyDescriptor/ds:KeyInfo/oidcmd:ClientSecret EntityDescriptor/SPSSODescriptor/ds:KeyDescriptor/ds:KeyInfo/oidcmd:ClientSecretKeyReference | Only one value per entity |
redirect_uri | EntityDescriptor/SPSSODescriptor/AssertionConsumerService | Binding:
|
token_endpoint_auth_method application_type client_uri software_id software_version sector_identifier_uri id_token_signed_response_alg id_token_encrypted_response_alg id_token_encrypted_response_enc userinfo_signed_response_alg userinfo_encrypted_response_alg userinfo_encrypted_response_enc request_object_signing_alg request_object_encryption_alg request_object_encryption_enc token_endpoint_auth_signing_alg default_max_age require_auth_time initiate_login_uri frontchannel_logout_session_required v2.2 backchannel_logout_session_required v2.2 | Like-named XML Attributes defined on: EntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions | These are single-valued claims that map directly into XML Attributes in a metadata extension element. |
grant_types response_types scopes | Like-named XML Attributes defined on: EntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions | These are multiple-valued claims that map directly into XML Attributes in a metadata extension element. Multiple values are supplied using a space-delimited list. NOTE: Since OP 3.2, use '+' sign to supply a response type value containing a space. For instance, the value "code code+id_token+token" in XML is translated into two OIDC response types: "code" and "code id_token token". |
client_name | EntityDescriptor/SPSSODescriptor/Extensions/mdui:UIInfo/mdui:DisplayName | |
logo_uri | EntityDescriptor/SPSSODescriptor/Extensions/mdui:UIInfo/mdui:Logo | |
contacts | EntityDescriptor/ContactPerson/EmailAddress | |
organization_name | EntityDescriptor/Organization/OrganizationName | |
tos_uri | EntityDescriptor/SPSSODescriptor/Extensions/mdui:UIInfo/mdui:InformationURL | |
policy_uri | EntityDescriptor/SPSSODescriptor/Extensions/mdui:UIInfo/mdui:PrivacyStatementURL | |
jwks_uri | EntityDescriptor/SPSSODescriptor/ds:KeyDescriptor/ds:KeyInfo/oidcmd:JwksUri | |
jwks | EntityDescriptor/SPSSODescriptor/ds:KeyDescriptor/ds:KeyInfo/oidcmd:JwksData | The value is Base64-encoded JSON string |
subject_type | EntityDescriptor/SPSSODescriptor/NameIDFormat | One of: |
default_acr_values | EntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:default_acr_value | Each value is defined in an extension element. |
request_uris | EntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:request_uri | Each value is defined in an extension element. |
post_logout_redirect_uris | EntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/oidcmd:post_logout_redirect_uri | Each value is defined in an extension element. |
audience 1 | EntityDescriptor/SPSSODescriptor/Extensions/oidcmd:OAuthRPExtensions/saml:Audience | Each value is defined in an extension element (the element itself is a standard SAML element imported from the Assertion schema). |
frontchannel_logout_uri v2.2 | EntityDescriptor/SPSSODescriptor/SingleLogoutService | Binding:
|
backchannel_logout_uri v2.2 | EntityDescriptor/SPSSODescriptor/SingleLogoutService | Binding:
|
1 The “audience” claim is not drawn from any standard, but an extension supported by Shibboleth to control/validate the “resource” parameter used in various OAuth protocol extensions, particularly in the client_credentials grant flow.
v2.2 The support was added in net.shibboleth.oidc.common
v2.2.0