/
MetadataExample
MetadataExample
- ndk@internet2.edu
Owned by ndk@internet2.edu
Last updated: May 19, 2008Version comment
This example metadata is useful for making your own federation by hand. You can also just use the hollow <EntitiesDescriptor> and populate it with <EntityDescriptor> elements pulled by accessing the Metadata handler your provider exposes. This supports the default profile of SAML 2.0 and Shibboleth 1.3.
<EntitiesDescriptor Name="https://your-federation.org/metadata/federation-name.xml"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!-- Actual providers go here. -->
<!-- An identity provider. -->
<EntityDescriptor entityID="https://idp.example.org/idp/shibboleth">
<IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:2.0:protocol">
<Extensions>
<shibmd:Scope regexp="false">example.org</shibmd:Scope>
</Extensions>
<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIEKjCCAxKgAwIBAgIJAIgUuHL4QvkYMA0GCSqGSIb3DQEBBQUAMGsxCzAJBgNV
<!-- Base-64 encoded certificate nonsense -->
q1og9SGCUU2yRL1tC+Y=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
Location="https://idp.example.org/idp/profile/Shibboleth/SSO" />
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://idp.example.org/idp/profile/SAML2/POST/SSO" />
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://idp.example.org/idp/profile/SAML2/Redirect/SSO" />
</IDPSSODescriptor>
<AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIEKjCCAxKgAwIBAgIJAIgUuHL4QvkYMA0GCSqGSIb3DQEBBQUAMGsxCzAJBgNV
<!-- Base-64 encoded certificate nonsense -->
q1og9SGCUU2yRL1tC+Y=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
Location="https://idp.example.org:8443/idp/profile/SAML1/SOAP/AttributeQuery" />
<AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://idp.example.org:8443/idp/profile/SAML2/SOAP/AttributeQuery" />
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
</AttributeAuthorityDescriptor>
<Organization>
<OrganizationName xml:lang="en">Your Identities</OrganizationName>
<OrganizationDisplayName xml:lang="en"> Your Identities</OrganizationDisplayName>
<OrganizationURL xml:lang="en">http://www.example.org/</OrganizationURL>
</Organization>
<ContactPerson contactType="technical">
<GivenName>Your</GivenName>
<SurName>Contact</SurName>
<EmailAddress>admin@example.org</EmailAddress>
</ContactPerson>
</EntityDescriptor>
<!-- A service provider. -->
<EntityDescriptor entityID="https://sp.example.org/shibboleth-sp">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
<Extensions>
<idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
index="1" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
Location="http://sp.example.org/Shibboleth.sso/DS"/>
<idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
index="2" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
Location="https://sp.example.org/Shibboleth.sso/DS"/>
</Extensions>
<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIIEPjCCAyagAwIBAgIBADANBgkqhkiG9w0BAQUFADB3MQswCQYDVQQGEwJVUzEV
<!-- Base-64 encoded certificate nonsense here -->
Inh+vYSYngQB2sx9LGkR9KHaMKNIGCDehk93Xla4pWJx1w==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<AssertionConsumerService index="1" isDefault="true"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://sp.example.org/Shibboleth.sso/SAML2/POST"/>
<AssertionConsumerService index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
Location="https://sp.example.org/Shibboleth.sso/SAML2/POST-SimpleSign"/>
<AssertionConsumerService index="3"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="https://sp.example.org/Shibboleth.sso/SAML2/Artifact"/>
<AssertionConsumerService index="4"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
Location="https://sp.example.org/Shibboleth.sso/SAML/POST"/>
<AssertionConsumerService index="5"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
Location="https://sp.example.org/Shibboleth.sso/SAML/Artifact"/>
</SPSSODescriptor>
<Organization>
<OrganizationName xml:lang="en">Your Service</OrganizationName>
<OrganizationDisplayName xml:lang="en">Your Service</OrganizationDisplayName>
<OrganizationURL xml:lang="en">http://sp.example.org/</OrganizationURL>
</Organization>
<ContactPerson contactType="technical">
<GivenName>Your</GivenName>
<SurName>Admin</SurName>
<EmailAddress>admin@example.org</EmailAddress>
</ContactPerson>
</EntityDescriptor>
</EntitiesDescriptor>
, multiple selections available,
Related content
MetadataForSP
MetadataForSP
Read with this
MetadataForIdP
MetadataForIdP
Read with this
Metadata
Metadata
Read with this
IdPMetadataProvider
IdPMetadataProvider
Read with this
ConfigurationFileSummary
ConfigurationFileSummary
Read with this
ShibMetaExt V1.0
ShibMetaExt V1.0
Read with this