2 xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
3 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
4 xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
5 xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
6 xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# xmldsig-core-schema.xsd"
7 Name="urn:mace:shibboleth:examples"
8 validUntil="2010-01-01T00:00:00Z">
11 This is a starter set of metadata for testing Shibboleth. It shows
12 a pair of example entities, one an IdP and one an SP. Each party
13 requires metadata from its opposite in order to interact with it.
14 Thus, your metadata describes you, and your partner(s)' metadata
15 is fed into your configuration.
17 The software components do not configure themselves using metadata
18 (e.g. the IdP does not configure itself using IdP metadata). Instead,
19 metadata about SPs is fed into IdPs and metadata about IdPs is fed into
20 SPs. Other metadata is ignored, so the software does not look for
21 conflicts between its own configuration and the metadata that might
22 be present about itself. Metadata is instead maintained based on the
23 external details of your configuration.
26 <EntityDescriptor entityID="https://idp.example.org/shibboleth">
28 The entityID above looks like a location, but it's actually just a name.
29 Each entity is assigned a URI name. By convention, it will often be a
30 URL, but it should never contain a physical machine hostname that you
31 would not otherwise publish to users of the service. For example, if your
32 installation runs on a machine named "gryphon.example.org", you would
33 generally register that machine in DNS under a second, logical name
34 (such as idp.example.org). This logical name should be used in favor
35 of the real hostname when you assign an entityID. You should use a name
36 like this even if you don't actually register the server in DNS using it.
37 The URL does *not* have to resolve into anything to use it as a name.
38 The point is for the name you choose to be stable, which is why including
39 hostnames is generally bad, since they tend to change.
42 <!-- A Shib IdP contains this element with protocol support as shown. -->
43 <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
45 <!-- This is a Shibboleth extension to express attribute scope rules. -->
46 <shibmd:Scope>example.org</shibmd:Scope>
50 One or more KeyDescriptors tell SPs how the IdP will authenticate itself. A single
51 descriptor can be used for both signing and for server-TLS if its use attribute
52 is set to "signing". You can place an X.509 certificate directly in this element
53 to specify the exact public key certificate to use. This only reflects the public
54 half of the keypair used by the IdP.
56 When the IdP signs XML, it uses the private key included in its Credentials
57 configuration element, and when TLS is used, the web server will use the
58 certificate and private key defined by the web server's configuration.
59 An SP will then try to match the certificates in the KeyDescriptors here
60 to the ones presented in the XML Signature or SSL session.
62 When an inline certificate is used, do not assume that an expired certificate
63 will be detected and rejected. Often only the key will be extracted without
64 regard for the certificate, but at the same time, it may be risky to include
65 an expired certificate and assume it will work. Your SAML implementation
66 may provide specific guidance on this.
68 <KeyDescriptor use="signing">
72 MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
73 BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
74 Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
75 AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
76 ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
77 Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
78 4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
79 lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
80 v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
81 CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
82 eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
83 BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
84 Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
85 w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
91 <KeyDescriptor use="encryption">
95 MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
96 BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
97 Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
98 AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
99 ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
100 Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
101 4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
102 lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
103 v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
104 CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
105 eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
106 BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
107 Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
108 w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
109 </ds:X509Certificate>
114 <!-- This tells SPs where/how to resolve SAML 1.x artifacts into SAML assertions. -->
115 <ArtifactResolutionService index="1"
116 Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
117 Location="https://idp.example.org:8443/shibboleth/profile/saml1/soap/ArtifactResolution"/>
119 <!-- This tells SPs where/how to resolve SAML 2.0 artifacts into SAML messages. -->
120 <ArtifactResolutionService index="1"
121 Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
122 Location="https://idp.example.org:8443/shibboleth/profile/saml2/soap/ArtifactResolution"/>
124 <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
125 <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
127 <!-- This tells SPs how and where to request authentication. -->
128 <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
129 Location="https://idp.example.org/shibboleth/profile/shibboleth/SSO"/>
130 <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
131 Location="https://idp.example.org/shibboleth/profile/saml2/Redirect/SSO"/>
132 <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
133 Location="https://idp.example.org/shibboleth/profile/saml2/POST/SSO"/>
136 <!-- Most Shib IdPs also support SAML attribute queries, so this role is also included. -->
137 <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
139 <!-- This is a Shibboleth extension to express attribute scope rules. -->
140 <shibmd:Scope>example.org</shibmd:Scope>
143 <!-- The certificate has to be repeated here (or a different one specified if necessary). -->
144 <KeyDescriptor use="signing">
148 MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
149 BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
150 Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
151 AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
152 ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
153 Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
154 4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
155 lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
156 v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
157 CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
158 eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
159 BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
160 Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
161 w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
162 </ds:X509Certificate>
167 <KeyDescriptor use="encryption">
171 MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
172 BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
173 Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
174 AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
175 ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
176 Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
177 4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
178 lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
179 v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
180 CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
181 eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
182 BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
183 Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
184 w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
185 </ds:X509Certificate>
190 <!-- This tells SPs how and where to send queries. -->
191 <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
192 Location="https://idp.example.org:8443/shibboleth/profiles/saml1/soap/AttributeQuery"/>
193 <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
194 Location="https://idp.example.org:8443/shibboleth/profiles/saml2/soap/AttributeQuery"/>
196 <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
197 <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
198 </AttributeAuthorityDescriptor>
200 <!-- This is just information about the entity in human terms. -->
202 <OrganizationName xml:lang="en">Example Identity Provider</OrganizationName>
203 <OrganizationDisplayName xml:lang="en">Identities 'R' Us</OrganizationDisplayName>
204 <OrganizationURL xml:lang="en">http://idp.example.org/</OrganizationURL>
206 <ContactPerson contactType="technical">
207 <SurName>Technical Support</SurName>
208 <EmailAddress>support@idp.example.org</EmailAddress>
213 <!-- See the comment earlier about how an entityID is chosen/created. -->
214 <EntityDescriptor entityID="https://sp.example.org/shibboleth">
216 <!-- An SP supporting SAML 1 and 2 contains this element with protocol support as shown. -->
217 <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol">
220 <!-- Extension to permit the SP to receive IdP discovery responses. -->
221 <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
222 index="1" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
223 Location="https://sp.example.org/Shibboleth.sso/DS"/>
227 One or more KeyDescriptors tell IdPs how the SP will authenticate itself. A single
228 descriptor can be used for signing, TLS, and encryption if its use attribute is
229 omitted. You can place an X.509 certificate directly in this element
230 to specify the exact public key certificate to use. This only reflects the public
231 half of the keypair used by the SP.
233 The SP uses the private key included in its Credentials configuration element
234 for both XML signing and client-side TLS. An IdP will then try to match the
235 certificates in the KeyDescriptors here to the ones presented in the XML
236 Signature or SSL session.
242 MIICjzCCAfigAwIBAgIJAKk8t1hYcMkhMA0GCSqGSIb3DQEBBAUAMDoxCzAJBgNV
243 BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxFzAVBgNVBAMTDnNwLmV4YW1wbGUu
244 b3JnMB4XDTA1MDYyMDE1NDgzNFoXDTMyMTEwNTE1NDgzNFowOjELMAkGA1UEBhMC
245 VVMxEjAQBgNVBAoTCUludGVybmV0MjEXMBUGA1UEAxMOc3AuZXhhbXBsZS5vcmcw
246 gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANlZ1L1mKzYbUVKiMQLhZlfGDyYa
247 /jjCiaXP0WhLNgvJpOTeajvsrApYNnFX5MLNzuC3NeQIjXUNLN2Yo2MCSthBIOL5
248 qE5dka4z9W9zytoflW1LmJ8vXpx8Ay/meG4z//J5iCpYVEquA0xl28HUIlownZUF
249 7w7bx0cF/02qrR23AgMBAAGjgZwwgZkwHQYDVR0OBBYEFJZiO1qsyAyc3HwMlL9p
250 JpN6fbGwMGoGA1UdIwRjMGGAFJZiO1qsyAyc3HwMlL9pJpN6fbGwoT6kPDA6MQsw
251 CQYDVQQGEwJVUzESMBAGA1UEChMJSW50ZXJuZXQyMRcwFQYDVQQDEw5zcC5leGFt
252 cGxlLm9yZ4IJAKk8t1hYcMkhMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQAD
253 gYEAMFq/UeSQyngE0GpZueyD2UW0M358uhseYOgGEIfm+qXIFQF6MYwNoX7WFzhC
254 LJZ2E6mEvZZFHCHUtl7mGDvsRwgZ85YCtRbvleEpqfgNQToto9pLYe+X6vvH9Z6p
255 gmYsTmak+kxO93JprrOd9xp8aZPMEprL7VCdrhbZEfyYER0=
256 </ds:X509Certificate>
261 <!-- This tells IdPs that Single Logout is supported and where/how to request it. -->
262 <SingleLogoutService Location="https://sp.example.org/Shibboleth.sso/SLO/SOAP"
263 Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
264 <SingleLogoutService Location="https://sp.example.org/Shibboleth.sso/SLO/Redirect"
265 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
266 <SingleLogoutService Location="https://sp.example.org/Shibboleth.sso/SLO/POST"
267 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
268 <SingleLogoutService Location="https://sp.example.org/Shibboleth.sso/SLO/Artifact"
269 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
271 <!-- This tells IdPs that NameID Management is supported and where/how to request it. -->
272 <ManageNameIDService Location="https://sp.example.org/Shibboleth.sso/NIM/SOAP"
273 Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
274 <ManageNameIDService Location="https://sp.example.org/Shibboleth.sso/NIM/Redirect"
275 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
276 <ManageNameIDService Location="https://sp.example.org/Shibboleth.sso/NIM/POST"
277 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
278 <ManageNameIDService Location="https://sp.example.org/Shibboleth.sso/NIM/Artifact"
279 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
281 <!-- This tells IdPs that you only need transient identifiers. -->
282 <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
283 <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
286 This tells IdPs where and how to send authentication assertions. Mostly
287 the SP will tell the IdP what location to use in its request, but this
288 is how the IdP validates the location and also figures out which
289 SAML version/binding to use.
291 <AssertionConsumerService index="1" isDefault="true"
292 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
293 Location="https://sp.example.org/Shibboleth.sso/SAML2/POST"/>
294 <AssertionConsumerService index="2"
295 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
296 Location="https://sp.example.org/Shibboleth.sso/SAML2/POST-SimpleSign"/>
297 <AssertionConsumerService index="3"
298 Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
299 Location="https://sp.example.org/Shibboleth.sso/SAML2/Artifact"/>
300 <AssertionConsumerService index="4"
301 Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
302 Location="https://sp.example.org/Shibboleth.sso/SAML/POST"/>
303 <AssertionConsumerService index="5"
304 Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
305 Location="https://sp.example.org/Shibboleth.sso/SAML/Artifact"/>
309 <!-- This is just information about the entity in human terms. -->
311 <OrganizationName xml:lang="en">Example Service Provider</OrganizationName>
312 <OrganizationDisplayName xml:lang="en">Services 'R' Us</OrganizationDisplayName>
313 <OrganizationURL xml:lang="en">http://sp.example.org/</OrganizationURL>
315 <ContactPerson contactType="technical">
316 <SurName>Technical Support</SurName>
317 <EmailAddress>support@sp.example.org</EmailAddress>
322 </EntitiesDescriptor>