2 This is example IdP metadata for demonstration purposes. Each party
3 in a Shibboleth/SAML deployment requires metadata from its opposite(s).
4 Thus, your metadata describes you and is given to your partners, and your
5 partners' metadata is fed into your configuration.
7 This particular file isn't used for anything directly, it's just an example
8 to help with constructing metadata for an IdP that may not supply its
9 metadata to you properly.
13 xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
14 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
15 xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
16 xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
17 xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# xmldsig-core-schema.xsd"
18 validUntil="2010-01-01T00:00:00Z"
19 entityID="https://idp.example.org/shibboleth">
21 The entityID above looks like a location, but it's actually just a name.
22 Each entity is assigned a URI name. By convention, it will often be a
23 URL, but it should never contain a physical machine hostname that you
24 would not otherwise publish to users of the service. For example, if your
25 installation runs on a machine named "gryphon.example.org", you would
26 generally register that machine in DNS under a second, logical name
27 (such as idp.example.org). This logical name should be used in favor
28 of the real hostname when you assign an entityID. You should use a name
29 like this even if you don't actually register the server in DNS using it.
30 The URL does not have to resolve into anything to use it as a name, although
31 it is useful if it does in fact point to your metadata. The key point is
32 for the name you choose to be stable, which is why including hostnames is
33 generally bad, since they tend to change.
36 <!-- A Shibboleth 1.x and SAML 2.0 IdP contains this element with protocol support as shown. -->
37 <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
39 <!-- This is a Shibboleth extension to express attribute scope rules. -->
40 <shibmd:Scope>example.org</shibmd:Scope>
44 One or more KeyDescriptors tell your SP how the IdP will authenticate itself. A single
45 descriptor can be used for both signing and for server-TLS if its use attribute
46 is set to "signing". You can place an X.509 certificate directly in this element
47 to specify the public key to use. This only reflects the public half of the keypair
48 used by the IdP. A different key, or the same key, can be specified for enabling
49 the SP to encrypt XML it sends to the IdP.
51 <KeyDescriptor use="signing">
55 MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
56 BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
57 Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
58 AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
59 ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
60 Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
61 4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
62 lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
63 v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
64 CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
65 eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
66 BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
67 Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
68 w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
74 <KeyDescriptor use="encryption">
78 MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
79 BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
80 Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
81 AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
82 ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
83 Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
84 4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
85 lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
86 v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
87 CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
88 eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
89 BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
90 Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
91 w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
97 <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
98 <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
100 <!-- This tells the SP where/how to resolve SAML 1.x artifacts into SAML assertions. -->
101 <ArtifactResolutionService index="1"
102 Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
103 Location="https://idp.example.org:8443/shibboleth/profile/saml1/soap/ArtifactResolution"/>
105 <!-- This tells the SP where/how to resolve SAML 2.0 artifacts into SAML messages. -->
106 <ArtifactResolutionService index="1"
107 Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
108 Location="https://idp.example.org:8443/shibboleth/profile/saml2/soap/ArtifactResolution"/>
110 <!-- This tells the SP how and where to request authentication. -->
111 <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
112 Location="https://idp.example.org/shibboleth/profile/shibboleth/SSO"/>
113 <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
114 Location="https://idp.example.org/shibboleth/profile/saml2/Redirect/SSO"/>
115 <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
116 Location="https://idp.example.org/shibboleth/profile/saml2/POST/SSO"/>
119 <!-- Most Shibboleth IdPs also support SAML attribute queries, so this role is also included. -->
120 <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
122 <!-- This is a Shibboleth extension to express attribute scope rules. -->
123 <shibmd:Scope>example.org</shibmd:Scope>
126 <!-- The certificate has to be repeated here (or a different one specified if necessary). -->
127 <KeyDescriptor use="signing">
131 MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
132 BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
133 Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
134 AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
135 ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
136 Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
137 4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
138 lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
139 v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
140 CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
141 eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
142 BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
143 Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
144 w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
145 </ds:X509Certificate>
150 <KeyDescriptor use="encryption">
154 MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
155 BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
156 Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
157 AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
158 ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
159 Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
160 4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
161 lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
162 v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
163 CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
164 eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
165 BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
166 Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
167 w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
168 </ds:X509Certificate>
173 <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
174 <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
176 <!-- This tells the SP how and where to send queries. -->
177 <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
178 Location="https://idp.example.org:8443/shibboleth/profiles/saml1/soap/AttributeQuery"/>
179 <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
180 Location="https://idp.example.org:8443/shibboleth/profiles/saml2/soap/AttributeQuery"/>
181 </AttributeAuthorityDescriptor>
183 <!-- This is just information about the entity in human terms. -->
185 <OrganizationName xml:lang="en">Example Identity Provider</OrganizationName>
186 <OrganizationDisplayName xml:lang="en">Identities 'R' Us</OrganizationDisplayName>
187 <OrganizationURL xml:lang="en">http://idp.example.org/</OrganizationURL>
189 <ContactPerson contactType="technical">
190 <SurName>Technical Support</SurName>
191 <EmailAddress>support@idp.example.org</EmailAddress>