2 xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
3 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
4 xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
5 xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
6 xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata @-PKGXMLDIR-@/saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 @-PKGXMLDIR-@/shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# @-PKGXMLDIR-@/xmldsig-core-schema.xsd"
7 Name="urn:mace:shibboleth:examples"
8 validUntil="2010-01-01T00:00:00Z">
11 This is a starter set of metadata for testing Shibboleth. It shows
12 a pair of example entities, one an IdP and one an SP. Each party
13 requires metadata from its opposite in order to interact with it.
14 Thus, your metadata describes you, and your partner(s)' metadata
15 is fed into your configuration.
17 The software components do not configure themselves using metadata
18 (e.g. the IdP does not configure itself using IdP metadata). Instead,
19 metadata about SPs is fed into IdPs and metadata about IdPs is fed into
20 SPs. Other metadata is ignored, so the software does not look for
21 conflicts between its own configuration and the metadata that might
22 be present about itself. Metadata is instead maintained based on the
23 external details of your configuration.
26 <EntityDescriptor entityID="https://idp.example.org/shibboleth">
28 The entityID above looks like a location, but it's actually just a name.
29 Each entity is assigned a URI name. By convention, it will often be a
30 URL, but it should never contain a physical machine hostname that you
31 would not otherwise publish to users of the service. For example, if your
32 installation runs on a machine named "gryphon.example.org", you would
33 generally register that machine in DNS under a second, logical name
34 (such as idp.example.org). This logical name should be used in favor
35 of the real hostname when you assign an entityID. You should use a name
36 like this even if you don't actually register the server in DNS using it.
37 The URL does *not* have to resolve into anything to use it as a name.
38 The point is for the name you choose to be stable, which is why including
39 hostnames is generally bad, since they tend to change.
42 <!-- A Shib IdP contains this element with protocol support as shown. -->
43 <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
45 <!-- This is a Shibboleth extension to express attribute scope rules. -->
46 <shibmd:Scope>example.org</shibmd:Scope>
47 <!-- This enables testing against Internet2's test site. -->
48 <shibmd:Scope>example.edu</shibmd:Scope>
52 One or more KeyDescriptors tell SPs how the IdP will authenticate itself. A single
53 descriptor can be used for both signing and for server-TLS if its use attribute
54 is set to "signing". You can place an X.509 certificate directly in this element
55 to specify the exact public key certificate to use. This only reflects the public
56 half of the keypair used by the IdP.
58 When the IdP signs XML, it uses the private key included in its Credentials
59 configuration element, and when TLS is used, the web server will use the
60 certificate and private key defined by the web server's configuration.
61 An SP will then try to match the certificates in the KeyDescriptors here
62 to the ones presented in the XML Signature or SSL session.
64 When an inline certificate is used, do not assume that an expired certificate
65 will be detected and rejected. Often only the key will be extracted without
66 regard for the certificate, but at the same time, it may be risky to include
67 an expired certificate and assume it will work. Your SAML implementation
68 may provide specific guidance on this.
70 <KeyDescriptor use="signing">
74 MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
75 BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
76 Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
77 AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
78 ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
79 Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
80 4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
81 lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
82 v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
83 CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
84 eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
85 BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
86 Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
87 w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
93 <!-- This key is used by Internet2's test site. -->
94 <KeyDescriptor use="signing">
98 MIIDADCCAmmgAwIBAgICBPIwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVT
99 MRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAoT
100 F1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJEaXZpc2lvbiBvZiBJ
101 bmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYDVQQDExxIRVBLSSBTZXJ2ZXIgQ0Eg
102 LS0gMjAwMjA3MDFBMB4XDTA1MDUyNjAxMDE1MloXDTA5MDcwNTAxMDE1MlowPjEL
103 MAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjEbMBkGA1UEAxMSd2F5Zi5p
104 bnRlcm5ldDIuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxpUs
105 kDqIN54O/AbF9rVqe8FJ1q/Ep7edGGOQUjlnt2c2AyVuvveSfW/Hh82DjdF0HMaW
106 C5kv/ZInBLi4kO6Xx2EjPijZmK11WxHx+WbhgCziY4KzetL3XT63QdCSSQVnaEJV
107 oM9yWsOOHpeWaFiX2alAfkYbCVt9kQiB2amyCuwcOwPWh0Saf7UTEyXoE9IMNWUz
108 oaydiwm6TH2zJ7ZNMogeL14o5Fv7I6znKwVGvqrz6iIGWTI7v/ZmnF/jwyW4GOdS
109 fX7s/G+M6uSndSM5si+s7iE+MdtP0qZ2M3xd4zWSpYTWRnq3uVMc9w04mF5LZM5q
110 B8ktgtaTLS5X2sWv6QIDAQABox0wGzAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF
111 oDANBgkqhkiG9w0BAQQFAAOBgQBDiDqvFbuhMMxAQ89CNBFLiXkcMLrX2Ht96Zux
112 JfS8fAx/Obbz5im1jK7peLhFr/9KgLtAkoz4aWtBL+qWcL3a1VYTu9H3Q2w9QbV2
113 rxmbK0h8tw6qTA+F4FrErGufQv+kEmm1WRXXeyqEcsadZpsXauRD8iraq9f5WrLX
115 </ds:X509Certificate>
120 <!-- This tells SPs where/how to resolve SAML 1.x artifacts into SAML assertions. -->
121 <ArtifactResolutionService index="1"
122 Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
123 Location="https://idp.example.org:8443/shibboleth-idp/Artifact"/>
125 <!-- This enables testing against Internet2's test site. -->
126 <ArtifactResolutionService index="2"
127 Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
128 Location="https://wayf.internet2.edu:8443/shibboleth-idp/Artifact"/>
130 <!-- This tells SPs that you support only the Shib handle format. -->
131 <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
133 <!-- This tells SPs how and where to request authentication. -->
134 <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
135 Location="https://idp.example.org/shibboleth-idp/SSO"/>
137 <!-- This enables testing against Internet2's test site. -->
138 <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
139 Location="https://wayf.internet2.edu/shibboleth-idp/SSO"/>
142 <!-- Most Shib IdPs also support SAML attribute queries, so this role is also included. -->
143 <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
145 <!-- This is a Shibboleth extension to express attribute scope rules. -->
146 <shibmd:Scope>example.org</shibmd:Scope>
147 <!-- This enables testing against Internet2's test site. -->
148 <shibmd:Scope>example.edu</shibmd:Scope>
151 <!-- The certificate has to be repeated here (or a different one specified if necessary). -->
152 <KeyDescriptor use="signing">
156 MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
157 BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
158 Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
159 AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
160 ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
161 Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
162 4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
163 lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
164 v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
165 CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
166 eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
167 BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
168 Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
169 w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
170 </ds:X509Certificate>
175 <!-- This key is used by Internet2's test site. -->
176 <KeyDescriptor use="signing">
180 MIIDADCCAmmgAwIBAgICBPIwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVT
181 MRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAoT
182 F1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJEaXZpc2lvbiBvZiBJ
183 bmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYDVQQDExxIRVBLSSBTZXJ2ZXIgQ0Eg
184 LS0gMjAwMjA3MDFBMB4XDTA1MDUyNjAxMDE1MloXDTA5MDcwNTAxMDE1MlowPjEL
185 MAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjEbMBkGA1UEAxMSd2F5Zi5p
186 bnRlcm5ldDIuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxpUs
187 kDqIN54O/AbF9rVqe8FJ1q/Ep7edGGOQUjlnt2c2AyVuvveSfW/Hh82DjdF0HMaW
188 C5kv/ZInBLi4kO6Xx2EjPijZmK11WxHx+WbhgCziY4KzetL3XT63QdCSSQVnaEJV
189 oM9yWsOOHpeWaFiX2alAfkYbCVt9kQiB2amyCuwcOwPWh0Saf7UTEyXoE9IMNWUz
190 oaydiwm6TH2zJ7ZNMogeL14o5Fv7I6znKwVGvqrz6iIGWTI7v/ZmnF/jwyW4GOdS
191 fX7s/G+M6uSndSM5si+s7iE+MdtP0qZ2M3xd4zWSpYTWRnq3uVMc9w04mF5LZM5q
192 B8ktgtaTLS5X2sWv6QIDAQABox0wGzAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF
193 oDANBgkqhkiG9w0BAQQFAAOBgQBDiDqvFbuhMMxAQ89CNBFLiXkcMLrX2Ht96Zux
194 JfS8fAx/Obbz5im1jK7peLhFr/9KgLtAkoz4aWtBL+qWcL3a1VYTu9H3Q2w9QbV2
195 rxmbK0h8tw6qTA+F4FrErGufQv+kEmm1WRXXeyqEcsadZpsXauRD8iraq9f5WrLX
197 </ds:X509Certificate>
202 <!-- This tells SPs how and where to send queries. -->
203 <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
204 Location="https://idp.example.org:8443/shibboleth-idp/AA"/>
206 <!-- This enables testing against Internet2's test site. -->
207 <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
208 Location="https://wayf.internet2.edu:8443/shibboleth-idp/AA"/>
210 <!-- This tells SPs that you support only the Shib handle format. -->
211 <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
212 </AttributeAuthorityDescriptor>
214 <!-- This is just information about the entity in human terms. -->
216 <OrganizationName xml:lang="en">Example Identity Provider</OrganizationName>
217 <OrganizationDisplayName xml:lang="en">Identities 'R' Us</OrganizationDisplayName>
218 <OrganizationURL xml:lang="en">http://idp.example.org/</OrganizationURL>
220 <ContactPerson contactType="technical">
221 <SurName>Technical Support</SurName>
222 <EmailAddress>support@idp.example.org</EmailAddress>
227 <!-- See the comment earlier about how an entityID is chosen/created. -->
228 <EntityDescriptor entityID="https://sp.example.org/shibboleth">
230 <!-- A Shib SP contains this element with protocol support as shown. -->
231 <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
234 One or more KeyDescriptors tell IdPs how the SP will authenticate itself. A single
235 descriptor can be used for both signing and for client-TLS if its use attribute
236 is set to "signing". You can place an X.509 certificate directly in this element
237 to specify the exact public key certificate to use. This only reflects the public
238 half of the keypair used by the IdP.
240 The SP uses the private key included in its Credentials configuration element
241 for both XML signing and client-side TLS. An IdP will then try to match the
242 certificates in the KeyDescriptors here to the ones presented in the XML
243 Signature or SSL session.
245 When an inline certificate is used, do not assume that an expired certificate
246 will be detected and rejected. Often only the key will be extracted without
247 regard for the certificate, but at the same time, it may be risky to include
248 an expired certificate and assume it will work. Your SAML implementation
249 may provide specific guidance on this.
251 <KeyDescriptor use="signing">
255 MIICjzCCAfigAwIBAgIJAKk8t1hYcMkhMA0GCSqGSIb3DQEBBAUAMDoxCzAJBgNV
256 BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxFzAVBgNVBAMTDnNwLmV4YW1wbGUu
257 b3JnMB4XDTA1MDYyMDE1NDgzNFoXDTMyMTEwNTE1NDgzNFowOjELMAkGA1UEBhMC
258 VVMxEjAQBgNVBAoTCUludGVybmV0MjEXMBUGA1UEAxMOc3AuZXhhbXBsZS5vcmcw
259 gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANlZ1L1mKzYbUVKiMQLhZlfGDyYa
260 /jjCiaXP0WhLNgvJpOTeajvsrApYNnFX5MLNzuC3NeQIjXUNLN2Yo2MCSthBIOL5
261 qE5dka4z9W9zytoflW1LmJ8vXpx8Ay/meG4z//J5iCpYVEquA0xl28HUIlownZUF
262 7w7bx0cF/02qrR23AgMBAAGjgZwwgZkwHQYDVR0OBBYEFJZiO1qsyAyc3HwMlL9p
263 JpN6fbGwMGoGA1UdIwRjMGGAFJZiO1qsyAyc3HwMlL9pJpN6fbGwoT6kPDA6MQsw
264 CQYDVQQGEwJVUzESMBAGA1UEChMJSW50ZXJuZXQyMRcwFQYDVQQDEw5zcC5leGFt
265 cGxlLm9yZ4IJAKk8t1hYcMkhMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQAD
266 gYEAMFq/UeSQyngE0GpZueyD2UW0M358uhseYOgGEIfm+qXIFQF6MYwNoX7WFzhC
267 LJZ2E6mEvZZFHCHUtl7mGDvsRwgZ85YCtRbvleEpqfgNQToto9pLYe+X6vvH9Z6p
268 gmYsTmak+kxO93JprrOd9xp8aZPMEprL7VCdrhbZEfyYER0=
269 </ds:X509Certificate>
274 <!-- This tells IdPs that you support only the Shib handle format. -->
275 <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
278 This tells IdPs where and how to send authentication assertions. Mostly
279 the SP will tell the IdP what location to use in its request, but this
280 is how the IdP validates the location and also figures out which
281 SAML profile to use. There are six listed to accomodate common testing
282 scenarios used by C++ and Java SP installations. At deployment time,
283 only the actual endpoints to be used are needed.
285 <AssertionConsumerService index="1" isDefault="true"
286 Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
287 Location="https://sp.example.org/Shibboleth.sso/SAML/POST"/>
288 <AssertionConsumerService index="2"
289 Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
290 Location="https://sp.example.org/Shibboleth.sso/SAML/Artifact"/>
291 <AssertionConsumerService index="3"
292 Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
293 Location="https://sp.example.org/shibboleth-sp/Shibboleth.sso/SAML/POST"/>
294 <AssertionConsumerService index="4"
295 Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
296 Location="https://sp.example.org/shibboleth-sp/Shibboleth.sso/SAML/Artifact"/>
297 <AssertionConsumerService index="5"
298 Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
299 Location="https://sp.example.org:9443/shibboleth-sp/Shibboleth.sso/SAML/POST"/>
300 <AssertionConsumerService index="6"
301 Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
302 Location="https://sp.example.org:9443/shibboleth-sp/Shibboleth.sso/SAML/Artifact"/>
306 <!-- This is just information about the entity in human terms. -->
308 <OrganizationName xml:lang="en">Example Service Provider</OrganizationName>
309 <OrganizationDisplayName xml:lang="en">Services 'R' Us</OrganizationDisplayName>
310 <OrganizationURL xml:lang="en">http://sp.example.org/</OrganizationURL>
312 <ContactPerson contactType="technical">
313 <SurName>Technical Support</SurName>
314 <EmailAddress>support@sp.example.org</EmailAddress>
319 </EntitiesDescriptor>