2 This is example IdP metadata for demonstration purposes. Each party
3 in a Shibboleth/SAML deployment requires metadata from its opposite(s).
4 Thus, your metadata describes you and is given to your partners, and your
5 partners' metadata is fed into your configuration.
7 This particular file isn't used for anything directly, it's just an example
8 to help with constructing metadata for an IdP that may not supply its
9 metadata to you properly.
13 xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
14 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
15 xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
16 xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
17 xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata saml-schema-metadata-2.0.xsd
18 urn:mace:shibboleth:metadata:1.0 shibboleth-metadata-1.0.xsd
19 urn:oasis:names:tc:SAML:metadata:ui sstc-saml-metadata-ui-v1.0.xsd
20 http://www.w3.org/2000/09/xmldsig# xmldsig-core-schema.xsd"
21 validUntil="2020-01-01T00:00:00Z"
22 entityID="https://idp.example.org/shibboleth">
24 The entityID above looks like a location, but it's actually just a name.
25 Each entity is assigned a URI name. By convention, it will often be a
26 URL, but it should never contain a physical machine hostname that you
27 would not otherwise publish to users of the service. For example, if your
28 installation runs on a machine named "gryphon.example.org", you would
29 generally register that machine in DNS under a second, logical name
30 (such as idp.example.org). This logical name should be used in favor
31 of the real hostname when you assign an entityID. You should use a name
32 like this even if you don't actually register the server in DNS using it.
33 The URL does not have to resolve into anything to use it as a name, although
34 it is useful if it does in fact point to your metadata. The key point is
35 for the name you choose to be stable, which is why using hostnames is
36 generally bad, since they tend to change.
39 <!-- A Shibboleth 1.x and SAML 2.0 IdP contains this element with protocol support as shown. -->
40 <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
42 <!-- This is a Shibboleth extension to express permissible attribute scope(s). -->
43 <shibmd:Scope>example.org</shibmd:Scope>
46 This is a recent OASIS-defined extension for user-interface material related to the IdP.
47 See http://wiki.oasis-open.org/security/SAML2MetadataUI for more details.
49 <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
50 <mdui:DisplayName xml:lang="en">Identities 'R' Us</mdui:DisplayName>
51 <mdui:InformationURL xml:lang="en">https://idp.example.org/info/</mdui:InformationURL>
52 <mdui:Logo height="60" width="80" xml:lang="en">https://example.org/images/logo.png</mdui:Logo>
53 <mdui:Logo height="16" width="16" xml:lang="en">https://example.org/images/favico.png</mdui:Logo>
58 One or more KeyDescriptors tell your SP how the IdP will authenticate itself. A single
59 descriptor can be used for both signing and for server-TLS. You can place an X.509
60 certificate directly in this element to specify the public key to use. This only
61 reflects the public half of the keypair used by the IdP.
67 MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
68 BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
69 Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
70 AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
71 ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
72 Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
73 4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
74 lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
75 v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
76 CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
77 eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
78 BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
79 Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
80 w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
86 <!-- This tells the SP where/how to resolve SAML 1.x artifacts into SAML assertions. -->
87 <ArtifactResolutionService index="1"
88 Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
89 Location="https://idp.example.org:8443/shibboleth/profile/saml1/soap/ArtifactResolution"/>
91 <!-- This tells the SP where/how to resolve SAML 2.0 artifacts into SAML messages. -->
92 <ArtifactResolutionService index="2"
93 Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
94 Location="https://idp.example.org:8443/shibboleth/profile/saml2/soap/ArtifactResolution"/>
96 <!-- This is informational and communicates what kinds of SAML Subjects the IdP supports. -->
97 <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
98 <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
100 <!-- This tells the SP how and where to request authentication. -->
101 <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
102 Location="https://idp.example.org/shibboleth/profile/shibboleth/SSO"/>
103 <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
104 Location="https://idp.example.org/shibboleth/profile/saml2/Redirect/SSO"/>
105 <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
106 Location="https://idp.example.org/shibboleth/profile/saml2/POST/SSO"/>
109 <!-- Most Shibboleth IdPs also support SAML 1.x attribute queries, so this role is also included. -->
110 <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
112 <!-- This is a Shibboleth extension to express permissible attribute scope(s). -->
113 <shibmd:Scope>example.org</shibmd:Scope>
116 <!-- The certificate has to be repeated here (or a different one specified if necessary). -->
121 MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
122 BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
123 Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
124 AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
125 ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
126 Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
127 4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
128 lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
129 v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
130 CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
131 eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
132 BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
133 Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
134 w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
135 </ds:X509Certificate>
141 This tells the SP how and where to send queries when SAML 1.x is used.
142 The SAML 2.0 version is normally left out because attributes are pushed
143 and encrypted during SSO rather than pulled after.
145 <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
146 Location="https://idp.example.org:8443/shibboleth/profiles/saml1/soap/AttributeQuery"/>
148 <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
149 Location="https://idp.example.org:8443/shibboleth/profiles/saml2/soap/AttributeQuery"/>
152 <!-- This is informational and communicates what kinds of SAML Subjects the IdP supports. -->
153 <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
154 <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
156 </AttributeAuthorityDescriptor>
159 This is just information about the entity in human terms.
160 For user interface needs, see the new <mdui:UIInfo> extension.
163 <OrganizationName xml:lang="en">Example Identity Provider</OrganizationName>
164 <OrganizationDisplayName xml:lang="en">Identities 'R' Us</OrganizationDisplayName>
165 <OrganizationURL xml:lang="en">http://idp.example.org/</OrganizationURL>
167 <ContactPerson contactType="technical">
168 <SurName>Technical Support</SurName>
169 <EmailAddress>support@idp.example.org</EmailAddress>