Removed SP locations that only apply to IQ testing.
[java-idp.git] / src / conf / example-metadata.xml
1 <EntitiesDescriptor
2     xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
3     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
4     xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
5     xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0"
6     xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata ../schemas/saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 ../schemas/shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# ../schemas/xmldsig-core-schema.xsd"
7     Name="urn:mace:shibboleth:examples"
8     validUntil="2010-01-01T00:00:00Z">
9
10         <!--
11         This is a starter set of metadata for testing Shibboleth. It shows
12         a pair of example entities, one an IdP and one an SP. Each party
13         requires metadata from its opposite in order to interact with it.
14         Thus, your metadata describes you, and your partner(s)' metadata
15         is fed into your configuration.
16         
17         The software components do not configure themselves using metadata
18         (e.g. the IdP does not configure itself using IdP metadata). Instead,
19         metadata about SPs is fed into IdPs and metadata about IdPs is fed into
20         SPs. Other metadata is ignored, so the software does not look for
21         conflicts between its own configuration and the metadata that might
22         be present about itself. Metadata is instead maintained based on the
23         external details of your configuration.
24         -->
25
26         <EntityDescriptor entityID="https://idp.example.org/shibboleth">
27         <!--
28         The entityID above looks like a location, but it's actually just a name.
29         Each entity is assigned a URI name. By convention, it will often be a
30         URL, but it should never contain a physical machine hostname that you
31         would not otherwise publish to users of the service. For example, if your
32         installation runs on a machine named "gryphon.example.org", you would
33         generally register that machine in DNS under a second, logical name
34         (such as idp.example.org). This logical name should be used in favor
35         of the real hostname when you assign an entityID. You should use a name
36         like this even if you don't actually register the server in DNS using it.
37         The URL does *not* have to resolve into anything to use it as a name.
38         The point is for the name you choose to be stable, which is why including
39         hostnames is generally bad, since they tend to change.
40         -->
41                 
42                 <!-- A Shib IdP contains this element with protocol support as shown. -->
43                 <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
44                         <Extensions>
45                                 <!-- This is a Shibboleth extension to express attribute scope rules. -->
46                         <shib:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0">example.org</shib:Scope>
47                         </Extensions>
48                         
49                         <!--
50                         One or more KeyDescriptors tell SPs how the IdP will authenticate itself. A single
51                         descriptor can be used for both signing and for server-TLS if its use attribute
52                         is set to "signing". You can place an X.509 certificate directly in this element
53                         to specify the exact public key certificate to use. This only reflects the public
54                         half of the keypair used by the IdP.
55                         
56                         When the IdP signs XML, it uses the private key included in its Credentials
57                         configuration element, and when TLS is used, the web server will use the
58                         certificate and private key defined by the web server's configuration.
59                         An SP will then try to match the certificates in the KeyDescriptors here
60                         to the ones presented in the XML Signature or SSL session.
61                         
62                         When an inline certificate is used, do not assume that an expired certificate
63                         will be detected and rejected. Often only the key will be extracted without
64                         regard for the certificate, but at the same time, it may be risky to include
65                         an expired certificate and assume it will work. Your SAML implementation
66                         may provide specific guidance on this.
67                         -->
68                         <KeyDescriptor use="signing">
69                             <ds:KeyInfo>
70                                 <ds:X509Data>
71                                         <ds:X509Certificate>
72 MIICkjCCAfugAwIBAgIJALmU3nSJfUmPMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
73 BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
74 Lm9yZzAeFw0wNTA1MTkyMDM0MTNaFw0wNTA2MTgyMDM0MTNaMDsxCzAJBgNVBAYT
75 AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
76 ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
77 Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
78 4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
79 lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
80 v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
81 CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
82 eGFtcGxlLm9yZ4IJALmU3nSJfUmPMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
83 BQADgYEAp8SdgSCN5mNJoX0PDDJwPHDfdrdV81i0HuPHdu/b7i1GxcN4MkyNwTA2
84 jBp8wDQehvl6f0mzUg8vZ+lj8IJImG1cM9rJey1cPTFTkYqhNLI/fF/rMwLMttIY
85 61s0Ktocvp7dJ5rLdMPgJWP6s/Q1/mzsCR3qJblgQ803044XBZ0=
86                                         </ds:X509Certificate>
87                                 </ds:X509Data>
88                             </ds:KeyInfo>
89                         </KeyDescriptor>
90
91                         <!-- This key is used by Internet2's test site. -->
92                         <KeyDescriptor use="signing">
93                                 <ds:KeyInfo>
94                                         <ds:X509Data>
95                                                 <ds:X509Certificate>
96 MIIDADCCAmmgAwIBAgICBPIwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVT
97 MRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAoT
98 F1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJEaXZpc2lvbiBvZiBJ
99 bmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYDVQQDExxIRVBLSSBTZXJ2ZXIgQ0Eg
100 LS0gMjAwMjA3MDFBMB4XDTA1MDUyNjAxMDE1MloXDTA5MDcwNTAxMDE1MlowPjEL
101 MAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjEbMBkGA1UEAxMSd2F5Zi5p
102 bnRlcm5ldDIuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxpUs
103 kDqIN54O/AbF9rVqe8FJ1q/Ep7edGGOQUjlnt2c2AyVuvveSfW/Hh82DjdF0HMaW
104 C5kv/ZInBLi4kO6Xx2EjPijZmK11WxHx+WbhgCziY4KzetL3XT63QdCSSQVnaEJV
105 oM9yWsOOHpeWaFiX2alAfkYbCVt9kQiB2amyCuwcOwPWh0Saf7UTEyXoE9IMNWUz
106 oaydiwm6TH2zJ7ZNMogeL14o5Fv7I6znKwVGvqrz6iIGWTI7v/ZmnF/jwyW4GOdS
107 fX7s/G+M6uSndSM5si+s7iE+MdtP0qZ2M3xd4zWSpYTWRnq3uVMc9w04mF5LZM5q
108 B8ktgtaTLS5X2sWv6QIDAQABox0wGzAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF
109 oDANBgkqhkiG9w0BAQQFAAOBgQBDiDqvFbuhMMxAQ89CNBFLiXkcMLrX2Ht96Zux
110 JfS8fAx/Obbz5im1jK7peLhFr/9KgLtAkoz4aWtBL+qWcL3a1VYTu9H3Q2w9QbV2
111 rxmbK0h8tw6qTA+F4FrErGufQv+kEmm1WRXXeyqEcsadZpsXauRD8iraq9f5WrLX
112 AtThLg==
113                                                 </ds:X509Certificate>
114                                         </ds:X509Data>
115                                 </ds:KeyInfo>
116                         </KeyDescriptor>
117                         
118                         <!-- This tells SPs where/how to resolve SAML 1.x artifacts into SAML assertions. -->
119                         <ArtifactResolutionService index="1"
120                                 Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
121                                 Location="https://idp.example.org:8443/shibboleth-idp/Artifact"/>
122
123                         <!-- This enables testing against Internet2's test site. -->
124                         <ArtifactResolutionService index="2"
125                                 Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
126                                 Location="https://wayf.internet2.edu:8443/shibboleth-idp/Artifact"/>
127                         
128                         <!-- This tells SPs that you support only the Shib handle format. -->
129                         <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
130                         
131                         <!-- This tells SPs how and where to request authentication. -->
132                         <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
133                             Location="https://idp.example.org/shibboleth-idp/SSO"/>
134
135                         <!-- This enables testing against Internet2's test site. -->
136                         <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
137                                 Location="https://wayf.internet2.edu/shibboleth-idp/SSO"/>
138                 </IDPSSODescriptor>
139                 
140                 <!-- Most Shib IdPs also support SAML attribute queries, so this role is also included. -->
141                 <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
142                         <Extensions>
143                                 <!-- This is a Shibboleth extension to express attribute scope rules. -->
144                         <shib:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0">example.org</shib:Scope>
145                         </Extensions>
146                         
147                         <!-- The certificate has to be repeated here (or a different one specified if necessary). -->
148                         <KeyDescriptor use="signing">
149                             <ds:KeyInfo>
150                                 <ds:X509Data>
151                                         <ds:X509Certificate>
152 MIICkjCCAfugAwIBAgIJALmU3nSJfUmPMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
153 BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
154 Lm9yZzAeFw0wNTA1MTkyMDM0MTNaFw0wNTA2MTgyMDM0MTNaMDsxCzAJBgNVBAYT
155 AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
156 ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
157 Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
158 4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
159 lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
160 v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
161 CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
162 eGFtcGxlLm9yZ4IJALmU3nSJfUmPMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
163 BQADgYEAp8SdgSCN5mNJoX0PDDJwPHDfdrdV81i0HuPHdu/b7i1GxcN4MkyNwTA2
164 jBp8wDQehvl6f0mzUg8vZ+lj8IJImG1cM9rJey1cPTFTkYqhNLI/fF/rMwLMttIY
165 61s0Ktocvp7dJ5rLdMPgJWP6s/Q1/mzsCR3qJblgQ803044XBZ0=
166                                         </ds:X509Certificate>
167                                 </ds:X509Data>
168                             </ds:KeyInfo>
169                         </KeyDescriptor>
170
171                         <!-- This key is used by Internet2's test site. -->
172                         <KeyDescriptor use="signing">
173                                 <ds:KeyInfo>
174                                         <ds:X509Data>
175                                                 <ds:X509Certificate>
176 MIIDADCCAmmgAwIBAgICBPIwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVT
177 MRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAoT
178 F1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJEaXZpc2lvbiBvZiBJ
179 bmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYDVQQDExxIRVBLSSBTZXJ2ZXIgQ0Eg
180 LS0gMjAwMjA3MDFBMB4XDTA1MDUyNjAxMDE1MloXDTA5MDcwNTAxMDE1MlowPjEL
181 MAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjEbMBkGA1UEAxMSd2F5Zi5p
182 bnRlcm5ldDIuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxpUs
183 kDqIN54O/AbF9rVqe8FJ1q/Ep7edGGOQUjlnt2c2AyVuvveSfW/Hh82DjdF0HMaW
184 C5kv/ZInBLi4kO6Xx2EjPijZmK11WxHx+WbhgCziY4KzetL3XT63QdCSSQVnaEJV
185 oM9yWsOOHpeWaFiX2alAfkYbCVt9kQiB2amyCuwcOwPWh0Saf7UTEyXoE9IMNWUz
186 oaydiwm6TH2zJ7ZNMogeL14o5Fv7I6znKwVGvqrz6iIGWTI7v/ZmnF/jwyW4GOdS
187 fX7s/G+M6uSndSM5si+s7iE+MdtP0qZ2M3xd4zWSpYTWRnq3uVMc9w04mF5LZM5q
188 B8ktgtaTLS5X2sWv6QIDAQABox0wGzAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF
189 oDANBgkqhkiG9w0BAQQFAAOBgQBDiDqvFbuhMMxAQ89CNBFLiXkcMLrX2Ht96Zux
190 JfS8fAx/Obbz5im1jK7peLhFr/9KgLtAkoz4aWtBL+qWcL3a1VYTu9H3Q2w9QbV2
191 rxmbK0h8tw6qTA+F4FrErGufQv+kEmm1WRXXeyqEcsadZpsXauRD8iraq9f5WrLX
192 AtThLg==
193                                                 </ds:X509Certificate>
194                                         </ds:X509Data>
195                                 </ds:KeyInfo>
196                         </KeyDescriptor>
197                         
198                         <!-- This tells SPs how and where to send queries. -->
199                         <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
200                             Location="https://idp.example.org:8443/shibboleth-idp/AA"/>
201
202                         <!-- This enables testing against Internet2's test site. -->
203                         <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
204                                 Location="https://wayf.internet2.edu:8443/shibboleth-idp/AA"/>
205                         
206                         <!-- This tells SPs that you support only the Shib handle format. -->
207                         <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
208                 </AttributeAuthorityDescriptor>
209
210                 <!-- This is just information about the entity in human terms. -->
211                 <Organization>
212                     <OrganizationName xml:lang="en">Example Identity Provider</OrganizationName>
213                     <OrganizationDisplayName xml:lang="en">Identities 'R' Us</OrganizationDisplayName>
214                     <OrganizationURL xml:lang="en">http://idp.example.org/</OrganizationURL>
215                 </Organization>
216                 <ContactPerson contactType="technical">
217                     <SurName>Technical Support</SurName>
218                     <EmailAddress>support@idp.example.org</EmailAddress>
219                 </ContactPerson>
220
221         </EntityDescriptor>
222
223         <!-- See the comment earlier about how an entityID is chosen/created. -->
224         <EntityDescriptor entityID="https://sp.example.org/shibboleth">
225         
226                 <!-- A Shib SP contains this element with protocol support as shown. -->
227                 <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
228                 
229                         <!--
230                         One or more KeyDescriptors tell IdPs how the SP will authenticate itself. A single
231                         descriptor can be used for both signing and for client-TLS if its use attribute
232                         is set to "signing". You can place an X.509 certificate directly in this element
233                         to specify the exact public key certificate to use. This only reflects the public
234                         half of the keypair used by the IdP.
235                         
236                         The SP uses the private key included in its Credentials configuration element
237                         for both XML signing and client-side TLS. An IdP will then try to match the
238                         certificates in the KeyDescriptors here to the ones presented in the XML
239                         Signature or SSL session.
240                         
241                         When an inline certificate is used, do not assume that an expired certificate
242                         will be detected and rejected. Often only the key will be extracted without
243                         regard for the certificate, but at the same time, it may be risky to include
244                         an expired certificate and assume it will work. Your SAML implementation
245                         may provide specific guidance on this.
246                         -->
247                         <KeyDescriptor use="signing">
248                             <ds:KeyInfo>
249                                 <ds:X509Data>
250                                         <ds:X509Certificate>
251 MIICjzCCAfigAwIBAgIJAKYrDROEIQ3wMA0GCSqGSIb3DQEBBAUAMDoxCzAJBgNV
252 BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxFzAVBgNVBAMTDnNwLmV4YW1wbGUu
253 b3JnMB4XDTA1MDUxOTIwMDg1NVoXDTA1MDYxODIwMDg1NVowOjELMAkGA1UEBhMC
254 VVMxEjAQBgNVBAoTCUludGVybmV0MjEXMBUGA1UEAxMOc3AuZXhhbXBsZS5vcmcw
255 gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANlZ1L1mKzYbUVKiMQLhZlfGDyYa
256 /jjCiaXP0WhLNgvJpOTeajvsrApYNnFX5MLNzuC3NeQIjXUNLN2Yo2MCSthBIOL5
257 qE5dka4z9W9zytoflW1LmJ8vXpx8Ay/meG4z//J5iCpYVEquA0xl28HUIlownZUF
258 7w7bx0cF/02qrR23AgMBAAGjgZwwgZkwHQYDVR0OBBYEFJZiO1qsyAyc3HwMlL9p
259 JpN6fbGwMGoGA1UdIwRjMGGAFJZiO1qsyAyc3HwMlL9pJpN6fbGwoT6kPDA6MQsw
260 CQYDVQQGEwJVUzESMBAGA1UEChMJSW50ZXJuZXQyMRcwFQYDVQQDEw5zcC5leGFt
261 cGxlLm9yZ4IJAKYrDROEIQ3wMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQAD
262 gYEAvxAknPpXKgOjkSsAE4D2SFlGt3GXrbS96UjpbA5Pke051wO6/z9u3JQu/gJa
263 Yt0LOC4i/8fpCqcHaHVNKvgWipNyEXr6r0nia5NmmrM7I5SQMM2VZv2G4c/KogBe
264 1XQgN+rVvbgGXEKbXvnFBWfdkCQ0neReul7pBUmvdnVzxRQ=
265                                         </ds:X509Certificate>
266                                 </ds:X509Data>
267                             </ds:KeyInfo>
268                         </KeyDescriptor>
269                         
270                         <!-- This tells IdPs that you support only the Shib handle format. -->
271                         <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
272                     
273                         <!--
274                         This tells IdPs where and how to send authentication assertions. Mostly
275                         the SP will tell the IdP what location to use in its request, but this
276                         is how the IdP validates the location and also figures out which
277                         SAML profile to use.
278                         -->
279                     <AssertionConsumerService index="1" isDefault="true"
280                         Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
281                         Location="https://sp.example.org/Shibboleth.sso/SAML/POST"/>
282                     <AssertionConsumerService index="2"
283                         Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
284                         Location="https://sp.example.org/Shibboleth.sso/SAML/Artifact"/>
285
286                 </SPSSODescriptor>
287                 
288         </EntityDescriptor>
289
290 </EntitiesDescriptor>