for the name you choose to be stable, which is why including hostnames is
generally bad, since they tend to change.
-->
-
- <!-- A Shibboleth 1.x and SAML 2.0 IdP contains this element with protocol support as shown. -->
- <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
- <Extensions>
- <!-- This is a Shibboleth extension to express attribute scope rules. -->
- <shibmd:Scope>example.org</shibmd:Scope>
- </Extensions>
-
- <!--
- One or more KeyDescriptors tell your SP how the IdP will authenticate itself. A single
- descriptor can be used for both signing and for server-TLS if its use attribute
- is set to "signing". You can place an X.509 certificate directly in this element
- to specify the public key to use. This only reflects the public half of the keypair
- used by the IdP. A different key, or the same key, can be specified for enabling
- the SP to encrypt XML it sends to the IdP.
- -->
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
+
+ <!-- A Shibboleth 1.x and SAML 2.0 IdP contains this element with protocol support as shown. -->
+ <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+ <Extensions>
+ <!-- This is a Shibboleth extension to express attribute scope rules. -->
+ <shibmd:Scope>example.org</shibmd:Scope>
+ </Extensions>
+
+ <!--
+ One or more KeyDescriptors tell your SP how the IdP will authenticate itself. A single
+ descriptor can be used for both signing and for server-TLS if its use attribute
+ is set to "signing". You can place an X.509 certificate directly in this element
+ to specify the public key to use. This only reflects the public half of the keypair
+ used by the IdP. A different key, or the same key, can be specified for enabling
+ the SP to encrypt XML it sends to the IdP.
+ -->
+ <KeyDescriptor use="signing">
+ <ds:KeyInfo>
+ <ds:X509Data>
+ <ds:X509Certificate>
MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
- </KeyDescriptor>
+ </ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </KeyDescriptor>
<KeyDescriptor use="encryption">
<ds:KeyInfo>
</ds:KeyInfo>
</KeyDescriptor>
- <!-- This tells the SP where/how to resolve SAML 1.x artifacts into SAML assertions. -->
- <ArtifactResolutionService index="1"
- Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
- Location="https://idp.example.org:8443/shibboleth/profile/saml1/soap/ArtifactResolution"/>
+ <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+ <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+
+ <!-- This tells the SP where/how to resolve SAML 1.x artifacts into SAML assertions. -->
+ <ArtifactResolutionService index="1"
+ Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
+ Location="https://idp.example.org:8443/shibboleth/profile/saml1/soap/ArtifactResolution"/>
<!-- This tells the SP where/how to resolve SAML 2.0 artifacts into SAML messages. -->
<ArtifactResolutionService index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://idp.example.org:8443/shibboleth/profile/saml2/soap/ArtifactResolution"/>
- <!-- This tells the SP how and where to request authentication. -->
- <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
- Location="https://idp.example.org/shibboleth/profile/shibboleth/SSO"/>
+ <!-- This tells the SP how and where to request authentication. -->
+ <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
+ Location="https://idp.example.org/shibboleth/profile/shibboleth/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://idp.example.org/shibboleth/profile/saml2/Redirect/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://idp.example.org/shibboleth/profile/saml2/POST/SSO"/>
- </IDPSSODescriptor>
-
- <!-- Most Shibboleth IdPs also support SAML attribute queries, so this role is also included. -->
- <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
- <Extensions>
- <!-- This is a Shibboleth extension to express attribute scope rules. -->
- <shibmd:Scope>example.org</shibmd:Scope>
- </Extensions>
-
- <!-- The certificate has to be repeated here (or a different one specified if necessary). -->
- <KeyDescriptor use="signing">
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>
+ </IDPSSODescriptor>
+
+ <!-- Most Shibboleth IdPs also support SAML attribute queries, so this role is also included. -->
+ <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
+ <Extensions>
+ <!-- This is a Shibboleth extension to express attribute scope rules. -->
+ <shibmd:Scope>example.org</shibmd:Scope>
+ </Extensions>
+
+ <!-- The certificate has to be repeated here (or a different one specified if necessary). -->
+ <KeyDescriptor use="signing">
+ <ds:KeyInfo>
+ <ds:X509Data>
+ <ds:X509Certificate>
MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
- </KeyDescriptor>
+ </ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </KeyDescriptor>
<KeyDescriptor use="encryption">
<ds:KeyInfo>
</ds:KeyInfo>
</KeyDescriptor>
- <!-- This tells the SP how and where to send queries. -->
- <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
- Location="https://idp.example.org:8443/shibboleth/profiles/saml1/soap/AttributeQuery"/>
+ <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+ <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+
+ <!-- This tells the SP how and where to send queries. -->
+ <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
+ Location="https://idp.example.org:8443/shibboleth/profiles/saml1/soap/AttributeQuery"/>
<AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://idp.example.org:8443/shibboleth/profiles/saml2/soap/AttributeQuery"/>
- </AttributeAuthorityDescriptor>
+ </AttributeAuthorityDescriptor>
- <!-- This is just information about the entity in human terms. -->
- <Organization>
- <OrganizationName xml:lang="en">Example Identity Provider</OrganizationName>
- <OrganizationDisplayName xml:lang="en">Identities 'R' Us</OrganizationDisplayName>
- <OrganizationURL xml:lang="en">http://idp.example.org/</OrganizationURL>
- </Organization>
- <ContactPerson contactType="technical">
- <SurName>Technical Support</SurName>
- <EmailAddress>support@idp.example.org</EmailAddress>
- </ContactPerson>
+ <!-- This is just information about the entity in human terms. -->
+ <Organization>
+ <OrganizationName xml:lang="en">Example Identity Provider</OrganizationName>
+ <OrganizationDisplayName xml:lang="en">Identities 'R' Us</OrganizationDisplayName>
+ <OrganizationURL xml:lang="en">http://idp.example.org/</OrganizationURL>
+ </Organization>
+ <ContactPerson contactType="technical">
+ <SurName>Technical Support</SurName>
+ <EmailAddress>support@idp.example.org</EmailAddress>
+ </ContactPerson>
</EntityDescriptor>