configs/example-metadata.xml.in

   1 <EntitiesDescriptor
   2     xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
   3     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   4     xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
   5     xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
   6     xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata @-PKGXMLDIR-@/saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 @-PKGXMLDIR-@/shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# @-PKGXMLDIR-@/xmldsig-core-schema.xsd"
   7     Name="urn:mace:shibboleth:examples"
   8     validUntil="2010-01-01T00:00:00Z">
   9
  10         <!--
  11         This is a starter set of metadata for testing Shibboleth. It shows
  12         a pair of example entities, one an IdP and one an SP. Each party
  13         requires metadata from its opposite in order to interact with it.
  14         Thus, your metadata describes you, and your partner(s)' metadata
  15         is fed into your configuration.
  16
  17         The software components do not configure themselves using metadata
  18         (e.g. the IdP does not configure itself using IdP metadata). Instead,
  19         metadata about SPs is fed into IdPs and metadata about IdPs is fed into
  20         SPs. Other metadata is ignored, so the software does not look for
  21         conflicts between its own configuration and the metadata that might
  22         be present about itself. Metadata is instead maintained based on the
  23         external details of your configuration.
  24         -->
  25
  26         <EntityDescriptor entityID="https://idp.example.org/shibboleth">
  27         <!--
  28         The entityID above looks like a location, but it's actually just a name.
  29         Each entity is assigned a URI name. By convention, it will often be a
  30         URL, but it should never contain a physical machine hostname that you
  31         would not otherwise publish to users of the service. For example, if your
  32         installation runs on a machine named "gryphon.example.org", you would
  33         generally register that machine in DNS under a second, logical name
  34         (such as idp.example.org). This logical name should be used in favor
  35         of the real hostname when you assign an entityID. You should use a name
  36         like this even if you don't actually register the server in DNS using it.
  37         The URL does *not* have to resolve into anything to use it as a name.
  38         The point is for the name you choose to be stable, which is why including
  39         hostnames is generally bad, since they tend to change.
  40         -->
  41
  42                 <!-- A Shib IdP contains this element with protocol support as shown. -->
  43                 <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
  44                         <Extensions>
  45                                 <!-- This is a Shibboleth extension to express attribute scope rules. -->
  46                                 <shibmd:Scope>example.org</shibmd:Scope>
  47                         </Extensions>
  48
  49                         <!--
  50                         One or more KeyDescriptors tell SPs how the IdP will authenticate itself. A single
  51                         descriptor can be used for both signing and for server-TLS if its use attribute
  52                         is set to "signing". You can place an X.509 certificate directly in this element
  53                         to specify the exact public key certificate to use. This only reflects the public
  54                         half of the keypair used by the IdP.
  55
  56                         When the IdP signs XML, it uses the private key included in its Credentials
  57                         configuration element, and when TLS is used, the web server will use the
  58                         certificate and private key defined by the web server's configuration.
  59                         An SP will then try to match the certificates in the KeyDescriptors here
  60                         to the ones presented in the XML Signature or SSL session.
  61
  62                         When an inline certificate is used, do not assume that an expired certificate
  63                         will be detected and rejected. At the same time, it may be risky to include
  64                         an expired certificate and assume it will work. Your SAML implementation
  65                         may provide specific guidance on this.
  66                         -->
  67                         <KeyDescriptor use="signing">
  68                             <ds:KeyInfo>
  69                                 <ds:X509Data>
  70                                         <ds:X509Certificate>
  71 MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
  72 BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
  73 Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
  74 AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
  75 ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
  76 Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
  77 4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
  78 lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
  79 v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
  80 CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
  81 eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  82 BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
  83 Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
  84 w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
  85                                         </ds:X509Certificate>
  86                                 </ds:X509Data>
  87                             </ds:KeyInfo>
  88                         </KeyDescriptor>
  89
  90                         <!-- This tells SPs where/how to resolve SAML 1.x artifacts into SAML assertions. -->
  91                         <ArtifactResolutionService index="1"
  92                                 Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
  93                                 Location="https://idp.example.org:8443/shibboleth-idp/Artifact"/>
  94
  95                         <!-- This tells SPs that you support only the Shib handle format. -->
  96                         <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
  97
  98                         <!-- This tells SPs how and where to request authentication. -->
  99                         <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
 100                             Location="https://idp.example.org/shibboleth-idp/SSO"/>
 101
 102                 </IDPSSODescriptor>
 103
 104                 <!-- Most Shib IdPs also support SAML attribute queries, so this role is also included. -->
 105                 <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
 106                         <Extensions>
 107                                 <!-- This is a Shibboleth extension to express attribute scope rules. -->
 108                                 <shibmd:Scope>example.org</shibmd:Scope>
 109                         </Extensions>
 110
 111                         <!-- The certificate has to be repeated here (or a different one specified if necessary). -->
 112                         <KeyDescriptor use="signing">
 113                             <ds:KeyInfo>
 114                                 <ds:X509Data>
 115                                         <ds:X509Certificate>
 116 MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
 117 BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
 118 Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
 119 AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
 120 ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
 121 Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
 122 4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
 123 lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
 124 v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
 125 CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
 126 eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
 127 BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
 128 Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
 129 w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
 130                                         </ds:X509Certificate>
 131                                 </ds:X509Data>
 132                             </ds:KeyInfo>
 133                         </KeyDescriptor>
 134
 135                         <!-- This tells SPs how and where to send queries. -->
 136                         <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
 137                             Location="https://idp.example.org:8443/shibboleth-idp/AA"/>
 138
 139                         <!-- This tells SPs that you support only the Shib handle format. -->
 140                         <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
 141                 </AttributeAuthorityDescriptor>
 142
 143                 <!-- This is just information about the entity in human terms. -->
 144                 <Organization>
 145                     <OrganizationName xml:lang="en">Example Identity Provider</OrganizationName>
 146                     <OrganizationDisplayName xml:lang="en">Identities 'R' Us</OrganizationDisplayName>
 147                     <OrganizationURL xml:lang="en">http://idp.example.org/</OrganizationURL>
 148                 </Organization>
 149                 <ContactPerson contactType="technical">
 150                     <SurName>Technical Support</SurName>
 151                     <EmailAddress>support@idp.example.org</EmailAddress>
 152                 </ContactPerson>
 153
 154         </EntityDescriptor>
 155
 156         <!-- See the comment earlier about how an entityID is chosen/created. -->
 157         <EntityDescriptor entityID="https://sp.example.org/shibboleth">
 158
 159                 <!-- A Shib SP contains this element with protocol support as shown. -->
 160                 <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
 161
 162                         <!--
 163                         One or more KeyDescriptors tell IdPs how the SP will authenticate itself. A single
 164                         descriptor can be used for both signing and for client-TLS if its use attribute
 165                         is set to "signing". You can place an X.509 certificate directly in this element
 166                         to specify the exact public key certificate to use. This only reflects the public
 167                         half of the keypair used by the IdP.
 168
 169                         The SP uses the private key included in its Credentials configuration element
 170                         for both XML signing and client-side TLS. An IdP will then try to match the
 171                         certificates in the KeyDescriptors here to the ones presented in the XML
 172                         Signature or SSL session.
 173
 174                         When an inline certificate is used, do not assume that an expired certificate
 175                         will be detected and rejected. At the same time, it may be risky to include
 176                         an expired certificate and assume it will work. Your SAML implementation
 177                         may provide specific guidance on this.
 178                         -->
 179                         <KeyDescriptor use="signing">
 180                             <ds:KeyInfo>
 181                                 <ds:X509Data>
 182                                         <ds:X509Certificate>
 183 MIICjzCCAfigAwIBAgIJAKk8t1hYcMkhMA0GCSqGSIb3DQEBBAUAMDoxCzAJBgNV
 184 BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxFzAVBgNVBAMTDnNwLmV4YW1wbGUu
 185 b3JnMB4XDTA1MDYyMDE1NDgzNFoXDTMyMTEwNTE1NDgzNFowOjELMAkGA1UEBhMC
 186 VVMxEjAQBgNVBAoTCUludGVybmV0MjEXMBUGA1UEAxMOc3AuZXhhbXBsZS5vcmcw
 187 gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANlZ1L1mKzYbUVKiMQLhZlfGDyYa
 188 /jjCiaXP0WhLNgvJpOTeajvsrApYNnFX5MLNzuC3NeQIjXUNLN2Yo2MCSthBIOL5
 189 qE5dka4z9W9zytoflW1LmJ8vXpx8Ay/meG4z//J5iCpYVEquA0xl28HUIlownZUF
 190 7w7bx0cF/02qrR23AgMBAAGjgZwwgZkwHQYDVR0OBBYEFJZiO1qsyAyc3HwMlL9p
 191 JpN6fbGwMGoGA1UdIwRjMGGAFJZiO1qsyAyc3HwMlL9pJpN6fbGwoT6kPDA6MQsw
 192 CQYDVQQGEwJVUzESMBAGA1UEChMJSW50ZXJuZXQyMRcwFQYDVQQDEw5zcC5leGFt
 193 cGxlLm9yZ4IJAKk8t1hYcMkhMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQAD
 194 gYEAMFq/UeSQyngE0GpZueyD2UW0M358uhseYOgGEIfm+qXIFQF6MYwNoX7WFzhC
 195 LJZ2E6mEvZZFHCHUtl7mGDvsRwgZ85YCtRbvleEpqfgNQToto9pLYe+X6vvH9Z6p
 196 gmYsTmak+kxO93JprrOd9xp8aZPMEprL7VCdrhbZEfyYER0=
 197                                         </ds:X509Certificate>
 198                                 </ds:X509Data>
 199                             </ds:KeyInfo>
 200                         </KeyDescriptor>
 201
 202                         <!-- This tells IdPs that you support only the Shib handle format. -->
 203                         <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
 204
 205                         <!--
 206                         This tells IdPs where and how to send authentication assertions. Mostly
 207                         the SP will tell the IdP what location to use in its request, but this
 208                         is how the IdP validates the location and also figures out which
 209                         SAML profile to use. There are six listed to accomodate common testing
 210                         scenarios used by C++ and Java SP installations. At deployment time,
 211                         only the actual endpoints to be used are needed.
 212                         -->
 213                         <AssertionConsumerService index="1" isDefault="true"
 214                                 Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
 215                                 Location="https://sp.example.org/Shibboleth.sso/SAML/POST"/>
 216                         <AssertionConsumerService index="2"
 217                                 Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
 218                                 Location="https://sp.example.org/Shibboleth.sso/SAML/Artifact"/>
 219
 220                 </SPSSODescriptor>
 221
 222                 <!-- This is just information about the entity in human terms. -->
 223                 <Organization>
 224                         <OrganizationName xml:lang="en">Example Service Provider</OrganizationName>
 225                         <OrganizationDisplayName xml:lang="en">Services 'R' Us</OrganizationDisplayName>
 226                         <OrganizationURL xml:lang="en">http://sp.example.org/</OrganizationURL>
 227                 </Organization>
 228                 <ContactPerson contactType="technical">
 229                         <SurName>Technical Support</SurName>
 230                         <EmailAddress>support@sp.example.org</EmailAddress>
 231                 </ContactPerson>
 232
 233         </EntityDescriptor>
 234
 235 </EntitiesDescriptor>