The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

MetadataExample

This example metadata is useful for making your own federation by hand. You can also just use the hollow <EntitiesDescriptor> and populate it with <EntityDescriptor> elements pulled by accessing the Metadata handler your provider exposes. This supports the default profile of SAML 2.0 and Shibboleth 1.3.

<EntitiesDescriptor Name="https://your-federation.org/metadata/federation-name.xml"
    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<!-- Actual providers go here.  -->

    <!-- An identity provider. -->
    <EntityDescriptor entityID="https://idp.example.org/idp/shibboleth">

       <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:2.0:protocol">
          <Extensions>
             <shibmd:Scope regexp="false">example.org</shibmd:Scope>
          </Extensions>
          <KeyDescriptor>
             <ds:KeyInfo>
                <ds:X509Data>
                   <ds:X509Certificate>
MIIEKjCCAxKgAwIBAgIJAIgUuHL4QvkYMA0GCSqGSIb3DQEBBQUAMGsxCzAJBgNV

<!-- Base-64 encoded certificate nonsense -->

q1og9SGCUU2yRL1tC+Y=
                    </ds:X509Certificate>
                 </ds:X509Data>
              </ds:KeyInfo>
           </KeyDescriptor>

           <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
           <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>

           <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" 
                    Location="https://idp.example.org/idp/profile/Shibboleth/SSO" />
        
           <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
                    Location="https://idp.example.org/idp/profile/SAML2/POST/SSO" />

           <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
                    Location="https://idp.example.org/idp/profile/SAML2/Redirect/SSO" />
       </IDPSSODescriptor>
    
       <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">

           <KeyDescriptor>
               <ds:KeyInfo>
                   <ds:X509Data>
                       <ds:X509Certificate>
MIIEKjCCAxKgAwIBAgIJAIgUuHL4QvkYMA0GCSqGSIb3DQEBBQUAMGsxCzAJBgNV

<!-- Base-64 encoded certificate nonsense -->

q1og9SGCUU2yRL1tC+Y=
                       </ds:X509Certificate>
                   </ds:X509Data>
               </ds:KeyInfo>
           </KeyDescriptor>

           <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" 
                          Location="https://idp.example.org:8443/idp/profile/SAML1/SOAP/AttributeQuery" />
        
           <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
                          Location="https://idp.example.org:8443/idp/profile/SAML2/SOAP/AttributeQuery" />
        
           <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
           <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>

       </AttributeAuthorityDescriptor>

       <Organization>
                <OrganizationName xml:lang="en">Your Identities</OrganizationName>
                <OrganizationDisplayName xml:lang="en"> Your Identities</OrganizationDisplayName>
                <OrganizationURL xml:lang="en">http://www.example.org/</OrganizationURL>
        </Organization>
        <ContactPerson contactType="technical">
                <GivenName>Your</GivenName>
                <SurName>Contact</SurName>
                <EmailAddress>admin@example.org</EmailAddress>
        </ContactPerson>
    
    </EntityDescriptor>
 
    <!-- A service provider. -->
    <EntityDescriptor entityID="https://sp.example.org/shibboleth-sp">
        <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">

            <Extensions>
                <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
                        index="1" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
                        Location="http://sp.example.org/Shibboleth.sso/DS"/>
                <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
                        index="2" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
                        Location="https://sp.example.org/Shibboleth.sso/DS"/>
            </Extensions>

	    <KeyDescriptor>
                <ds:KeyInfo>
                    <ds:X509Data>
                        <ds:X509Certificate>
MIIEPjCCAyagAwIBAgIBADANBgkqhkiG9w0BAQUFADB3MQswCQYDVQQGEwJVUzEV

<!-- Base-64 encoded certificate nonsense here -->

Inh+vYSYngQB2sx9LGkR9KHaMKNIGCDehk93Xla4pWJx1w==
                        </ds:X509Certificate>
                    </ds:X509Data>
                </ds:KeyInfo>
            </KeyDescriptor>

            <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
            <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>

            <AssertionConsumerService index="1" isDefault="true"
                    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    Location="https://sp.example.org/Shibboleth.sso/SAML2/POST"/>
            <AssertionConsumerService index="2"
                    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
                    Location="https://sp.example.org/Shibboleth.sso/SAML2/POST-SimpleSign"/>
            <AssertionConsumerService index="3"
                    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
                    Location="https://sp.example.org/Shibboleth.sso/SAML2/Artifact"/>
            <AssertionConsumerService index="4"
                    Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
                    Location="https://sp.example.org/Shibboleth.sso/SAML/POST"/>
            <AssertionConsumerService index="5"
                    Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
                    Location="https://sp.example.org/Shibboleth.sso/SAML/Artifact"/>

        </SPSSODescriptor>

	<Organization>
		<OrganizationName xml:lang="en">Your Service</OrganizationName>
		<OrganizationDisplayName xml:lang="en">Your Service</OrganizationDisplayName>
		<OrganizationURL xml:lang="en">http://sp.example.org/</OrganizationURL>
	</Organization>
	<ContactPerson contactType="technical">
                <GivenName>Your</GivenName>
		<SurName>Admin</SurName>
		<EmailAddress>admin@example.org</EmailAddress>
	</ContactPerson>
		
    </EntityDescriptor>

</EntitiesDescriptor>