configs/example-metadata.xml

   1 <!--
   2 This is example IdP metadata for demonstration purposes. Each party
   3 in a Shibboleth/SAML deployment requires metadata from its opposite(s).
   4 Thus, your metadata describes you and is given to your partners, and your
   5 partners' metadata is fed into your configuration.
   6
   7 This particular file isn't used for anything directly, it's just an example
   8 to help with constructing metadata for an IdP that may not supply its
   9 metadata to you properly.
  10 -->
  11
  12 <EntityDescriptor
  13     xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
  14     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  15     xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
  16     xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
  17     xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata saml-schema-metadata-2.0.xsd
  18                         urn:mace:shibboleth:metadata:1.0 shibboleth-metadata-1.0.xsd
  19                         urn:oasis:names:tc:SAML:metadata:ui sstc-saml-metadata-ui-v1.0.xsd
  20                         http://www.w3.org/2000/09/xmldsig# xmldsig-core-schema.xsd"
  21     validUntil="2020-01-01T00:00:00Z"
  22     entityID="https://idp.example.org/shibboleth">
  23     <!--
  24     The entityID above looks like a location, but it's actually just a name.
  25     Each entity is assigned a URI name. By convention, it will often be a
  26     URL, but it should never contain a physical machine hostname that you
  27     would not otherwise publish to users of the service. For example, if your
  28     installation runs on a machine named "gryphon.example.org", you would
  29     generally register that machine in DNS under a second, logical name
  30     (such as idp.example.org). This logical name should be used in favor
  31     of the real hostname when you assign an entityID. You should use a name
  32     like this even if you don't actually register the server in DNS using it.
  33     The URL does not have to resolve into anything to use it as a name, although
  34     it is useful if it does in fact point to your metadata. The key point is
  35     for the name you choose to be stable, which is why using hostnames is
  36     generally bad, since they tend to change.
  37     -->
  38
  39     <!-- A Shibboleth 1.x and SAML 2.0 IdP contains this element with protocol support as shown. -->
  40     <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
  41         <Extensions>
  42             <!-- This is a Shibboleth extension to express permissible attribute scope(s). -->
  43             <shibmd:Scope>example.org</shibmd:Scope>
  44
  45             <!--
  46             This is a recent OASIS-defined extension for user-interface material related to the IdP.
  47             See http://wiki.oasis-open.org/security/SAML2MetadataUI for more details.
  48             -->
  49             <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
  50                 <mdui:DisplayName xml:lang="en">Identities 'R' Us</mdui:DisplayName>
  51                 <mdui:InformationURL xml:lang="en">https://idp.example.org/info/</mdui:InformationURL>
  52                 <mdui:Logo height="60" width="80" xml:lang="en">https://example.org/images/logo.png</mdui:Logo>
  53                 <mdui:Logo height="16" width="16" xml:lang="en">https://example.org/images/favico.png</mdui:Logo>
  54             </mdui:UIInfo>
  55         </Extensions>
  56
  57         <!--
  58         One or more KeyDescriptors tell your SP how the IdP will authenticate itself. A single
  59         descriptor can be used for both signing and for server-TLS. You can place an X.509
  60         certificate directly in this element to specify the public key to use. This only
  61         reflects the public half of the keypair used by the IdP.
  62         -->
  63         <KeyDescriptor>
  64             <ds:KeyInfo>
  65                 <ds:X509Data>
  66                     <ds:X509Certificate>
  67                     MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
  68                     BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
  69                     Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
  70                     AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
  71                     ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
  72                     Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
  73                     4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
  74                     lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
  75                     v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
  76                     CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
  77                     eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
  78                     BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
  79                     Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
  80                     w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
  81                     </ds:X509Certificate>
  82                 </ds:X509Data>
  83             </ds:KeyInfo>
  84         </KeyDescriptor>
  85
  86         <!-- This tells the SP where/how to resolve SAML 1.x artifacts into SAML assertions. -->
  87         <ArtifactResolutionService index="1"
  88             Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
  89             Location="https://idp.example.org:8443/shibboleth/profile/saml1/soap/ArtifactResolution"/>
  90
  91         <!-- This tells the SP where/how to resolve SAML 2.0 artifacts into SAML messages. -->
  92         <ArtifactResolutionService index="2"
  93             Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
  94             Location="https://idp.example.org:8443/shibboleth/profile/saml2/soap/ArtifactResolution"/>
  95
  96         <!-- This is informational and communicates what kinds of SAML Subjects the IdP supports. -->
  97         <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
  98         <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
  99
 100         <!-- This tells the SP how and where to request authentication. -->
 101         <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
 102             Location="https://idp.example.org/shibboleth/profile/shibboleth/SSO"/>
 103         <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
 104             Location="https://idp.example.org/shibboleth/profile/saml2/Redirect/SSO"/>
 105         <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
 106             Location="https://idp.example.org/shibboleth/profile/saml2/POST/SSO"/>
 107     </IDPSSODescriptor>
 108
 109     <!-- Most Shibboleth IdPs also support SAML 1.x attribute queries, so this role is also included. -->
 110     <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
 111         <Extensions>
 112             <!-- This is a Shibboleth extension to express permissible attribute scope(s). -->
 113             <shibmd:Scope>example.org</shibmd:Scope>
 114         </Extensions>
 115
 116         <!-- The certificate has to be repeated here (or a different one specified if necessary). -->
 117         <KeyDescriptor>
 118             <ds:KeyInfo>
 119                 <ds:X509Data>
 120                     <ds:X509Certificate>
 121                     MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
 122                     BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
 123                     Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
 124                     AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
 125                     ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
 126                     Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
 127                     4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
 128                     lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
 129                     v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
 130                     CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
 131                     eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
 132                     BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
 133                     Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
 134                     w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
 135                     </ds:X509Certificate>
 136                 </ds:X509Data>
 137             </ds:KeyInfo>
 138         </KeyDescriptor>
 139
 140         <!--
 141         This tells the SP how and where to send queries when SAML 1.x is used.
 142         The SAML 2.0 version is normally left out because attributes are pushed
 143         and encrypted during SSO rather than pulled after.
 144         -->
 145         <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
 146             Location="https://idp.example.org:8443/shibboleth/profiles/saml1/soap/AttributeQuery"/>
 147         <!--
 148         <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
 149             Location="https://idp.example.org:8443/shibboleth/profiles/saml2/soap/AttributeQuery"/>
 150         -->
 151
 152         <!-- This is informational and communicates what kinds of SAML Subjects the IdP supports. -->
 153         <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
 154         <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
 155
 156     </AttributeAuthorityDescriptor>
 157
 158     <!--
 159     This is just information about the entity in human terms.
 160     For user interface needs, see the new <mdui:UIInfo> extension.
 161     -->
 162     <Organization>
 163         <OrganizationName xml:lang="en">Example Identity Provider</OrganizationName>
 164         <OrganizationDisplayName xml:lang="en">Identities 'R' Us</OrganizationDisplayName>
 165         <OrganizationURL xml:lang="en">http://idp.example.org/</OrganizationURL>
 166     </Organization>
 167     <ContactPerson contactType="technical">
 168         <SurName>Technical Support</SurName>
 169         <EmailAddress>support@idp.example.org</EmailAddress>
 170     </ContactPerson>
 171
 172 </EntityDescriptor>