fa2a6091a661be78c532969862d426d9fc3ed575
[java-idp.git] / src / conf / example-metadata.xml
1 <EntitiesDescriptor
2     xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
3     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
4     xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
5     xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0"
6     xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata ../schemas/saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 ../schemas/shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# ../schemas/xmldsig-core-schema.xsd"
7     Name="urn:mace:shibboleth:examples"
8     validUntil="2010-01-01T00:00:00Z">
9
10         <!--
11         This is a starter set of metadata for testing Shibboleth. It shows
12         a pair of example entities, one an IdP and one an SP. Each party
13         requires metadata from its opposite in order to interact with it.
14         Thus, your metadata describes you, and your partner(s)' metadata
15         is fed into your configuration.
16         
17         The software components do not configure themselves using metadata
18         (e.g. the IdP does not configure itself using IdP metadata). Instead,
19         metadata about SPs is fed into IdPs and metadata about IdPs is fed into
20         SPs. Other metadata is ignored, so the software does not look for
21         conflicts between its own configuration and the metadata that might
22         be present about itself. Metadata is instead maintained based on the
23         external details of your configuration.
24         -->
25
26         <EntityDescriptor entityID="https://idp.example.org/shibboleth">
27         <!--
28         The entityID above looks like a location, but it's actually just a name.
29         Each entity is assigned a URI name. By convention, it will often be a
30         URL, but it should never contain a physical machine hostname that you
31         would not otherwise publish to users of the service. For example, if your
32         installation runs on a machine named "gryphon.example.org", you would
33         generally register that machine in DNS under a second, logical name
34         (such as idp.example.org). This logical name should be used in favor
35         of the real hostname when you assign an entityID. You should use a name
36         like this even if you don't actually register the server in DNS using it.
37         The URL does *not* have to resolve into anything to use it as a name.
38         The point is for the name you choose to be stable, which is why including
39         hostnames is generally bad, since they tend to change.
40         -->
41                 
42                 <!-- A Shib IdP contains this element with protocol support as shown. -->
43                 <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
44                         <Extensions>
45                                 <!-- This is a Shibboleth extension to express attribute scope rules. -->
46                         <shib:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0">example.org</shib:Scope>
47                         </Extensions>
48                         
49                         <!--
50                         One or more KeyDescriptors tell SPs how the IdP will authenticate itself. A single
51                         descriptor can be used for both signing and for server-TLS if its use attribute
52                         is set to "signing". You can place an X.509 certificate directly in this element
53                         to specify the exact public key certificate to use. This only reflects the public
54                         half of the keypair used by the IdP.
55                         
56                         When the IdP signs XML, it uses the private key included in its Credentials
57                         configuration element, and when TLS is used, the web server will use the
58                         certificate and private key defined by the web server's configuration.
59                         An SP will then try to match the certificates in the KeyDescriptors here
60                         to the ones presented in the XML Signature or SSL session.
61                         
62                         When an inline certificate is used, do not assume that an expired certificate
63                         will be detected and rejected. Often only the key will be extracted without
64                         regard for the certificate, but at the same time, it may be risky to include
65                         an expired certificate and assume it will work. Your SAML implementation
66                         may provide specific guidance on this.
67                         -->
68                         <KeyDescriptor use="signing">
69                             <ds:KeyInfo>
70                                 <ds:X509Data>
71                                         <ds:X509Certificate>
72 MIICkjCCAfugAwIBAgIJALmU3nSJfUmPMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
73 BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
74 Lm9yZzAeFw0wNTA1MTkyMDM0MTNaFw0wNTA2MTgyMDM0MTNaMDsxCzAJBgNVBAYT
75 AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
76 ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
77 Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
78 4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
79 lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
80 v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
81 CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
82 eGFtcGxlLm9yZ4IJALmU3nSJfUmPMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
83 BQADgYEAp8SdgSCN5mNJoX0PDDJwPHDfdrdV81i0HuPHdu/b7i1GxcN4MkyNwTA2
84 jBp8wDQehvl6f0mzUg8vZ+lj8IJImG1cM9rJey1cPTFTkYqhNLI/fF/rMwLMttIY
85 61s0Ktocvp7dJ5rLdMPgJWP6s/Q1/mzsCR3qJblgQ803044XBZ0=
86                                         </ds:X509Certificate>
87                                 </ds:X509Data>
88                             </ds:KeyInfo>
89                         </KeyDescriptor>
90                         
91                         <!-- This tells SPs where/how to resolve SAML 1.x artifacts into SAML assertions. -->
92                         <ArtifactResolutionService index="1"
93                                 Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
94                                 Location="https://idp.example.org:8443/shibboleth/Artifact"/>
95                         
96                         <!-- This tells SPs that you support only the Shib handle format. -->
97                         <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
98                         
99                         <!-- This tells SPs how and where to request authentication. -->
100                         <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
101                             Location="https://idp.example.org/shibboleth/SSO"/>
102                 </IDPSSODescriptor>
103                 
104                 <!-- Most Shib IdPs also support SAML attribute queries, so this role is also included. -->
105                 <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
106                         <Extensions>
107                                 <!-- This is a Shibboleth extension to express attribute scope rules. -->
108                         <shib:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0">example.org</shib:Scope>
109                         </Extensions>
110                         
111                         <!-- The certificate has to be repeated here (or a different one specified if necessary). -->
112                         <KeyDescriptor use="signing">
113                             <ds:KeyInfo>
114                                 <ds:X509Data>
115                                         <ds:X509Certificate>
116 MIICkjCCAfugAwIBAgIJALmU3nSJfUmPMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
117 BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
118 Lm9yZzAeFw0wNTA1MTkyMDM0MTNaFw0wNTA2MTgyMDM0MTNaMDsxCzAJBgNVBAYT
119 AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
120 ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
121 Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
122 4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
123 lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
124 v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
125 CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
126 eGFtcGxlLm9yZ4IJALmU3nSJfUmPMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
127 BQADgYEAp8SdgSCN5mNJoX0PDDJwPHDfdrdV81i0HuPHdu/b7i1GxcN4MkyNwTA2
128 jBp8wDQehvl6f0mzUg8vZ+lj8IJImG1cM9rJey1cPTFTkYqhNLI/fF/rMwLMttIY
129 61s0Ktocvp7dJ5rLdMPgJWP6s/Q1/mzsCR3qJblgQ803044XBZ0=
130                                         </ds:X509Certificate>
131                                 </ds:X509Data>
132                             </ds:KeyInfo>
133                         </KeyDescriptor>
134
135                         <!-- This tells SPs how and where to send queries. -->
136                         <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
137                             Location="https://idp.example.org:8443/shibboleth/AA"/>
138                             
139                         <!-- This tells SPs that you support only the Shib handle format. -->
140                         <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
141                 </AttributeAuthorityDescriptor>
142
143                 <!-- This is just information about the entity in human terms. -->
144                 <Organization>
145                     <OrganizationName xml:lang="en">Example Identity Provider</OrganizationName>
146                     <OrganizationDisplayName xml:lang="en">Identities 'R' Us</OrganizationDisplayName>
147                     <OrganizationURL xml:lang="en">http://idp.example.org/</OrganizationURL>
148                 </Organization>
149                 <ContactPerson contactType="technical">
150                     <SurName>Technical Support</SurName>
151                     <EmailAddress>support@idp.example.org</EmailAddress>
152                 </ContactPerson>
153
154         </EntityDescriptor>
155
156         <!-- See the comment earlier about how an entityID is chosen/created. -->
157         <EntityDescriptor entityID="https://sp.example.org/shibboleth">
158         
159                 <!-- A Shib SP contains this element with protocol support as shown. -->
160                 <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
161                 
162                         <!--
163                         One or more KeyDescriptors tell IdPs how the SP will authenticate itself. A single
164                         descriptor can be used for both signing and for client-TLS if its use attribute
165                         is set to "signing". You can place an X.509 certificate directly in this element
166                         to specify the exact public key certificate to use. This only reflects the public
167                         half of the keypair used by the IdP.
168                         
169                         The SP uses the private key included in its Credentials configuration element
170                         for both XML signing and client-side TLS. An IdP will then try to match the
171                         certificates in the KeyDescriptors here to the ones presented in the XML
172                         Signature or SSL session.
173                         
174                         When an inline certificate is used, do not assume that an expired certificate
175                         will be detected and rejected. Often only the key will be extracted without
176                         regard for the certificate, but at the same time, it may be risky to include
177                         an expired certificate and assume it will work. Your SAML implementation
178                         may provide specific guidance on this.
179                         -->
180                         <KeyDescriptor use="signing">
181                             <ds:KeyInfo>
182                                 <ds:X509Data>
183                                         <ds:X509Certificate>
184 MIICjzCCAfigAwIBAgIJAKYrDROEIQ3wMA0GCSqGSIb3DQEBBAUAMDoxCzAJBgNV
185 BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxFzAVBgNVBAMTDnNwLmV4YW1wbGUu
186 b3JnMB4XDTA1MDUxOTIwMDg1NVoXDTA1MDYxODIwMDg1NVowOjELMAkGA1UEBhMC
187 VVMxEjAQBgNVBAoTCUludGVybmV0MjEXMBUGA1UEAxMOc3AuZXhhbXBsZS5vcmcw
188 gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANlZ1L1mKzYbUVKiMQLhZlfGDyYa
189 /jjCiaXP0WhLNgvJpOTeajvsrApYNnFX5MLNzuC3NeQIjXUNLN2Yo2MCSthBIOL5
190 qE5dka4z9W9zytoflW1LmJ8vXpx8Ay/meG4z//J5iCpYVEquA0xl28HUIlownZUF
191 7w7bx0cF/02qrR23AgMBAAGjgZwwgZkwHQYDVR0OBBYEFJZiO1qsyAyc3HwMlL9p
192 JpN6fbGwMGoGA1UdIwRjMGGAFJZiO1qsyAyc3HwMlL9pJpN6fbGwoT6kPDA6MQsw
193 CQYDVQQGEwJVUzESMBAGA1UEChMJSW50ZXJuZXQyMRcwFQYDVQQDEw5zcC5leGFt
194 cGxlLm9yZ4IJAKYrDROEIQ3wMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQAD
195 gYEAvxAknPpXKgOjkSsAE4D2SFlGt3GXrbS96UjpbA5Pke051wO6/z9u3JQu/gJa
196 Yt0LOC4i/8fpCqcHaHVNKvgWipNyEXr6r0nia5NmmrM7I5SQMM2VZv2G4c/KogBe
197 1XQgN+rVvbgGXEKbXvnFBWfdkCQ0neReul7pBUmvdnVzxRQ=
198                                         </ds:X509Certificate>
199                                 </ds:X509Data>
200                             </ds:KeyInfo>
201                         </KeyDescriptor>
202                         
203                         <!-- This tells IdPs that you support only the Shib handle format. -->
204                         <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
205                     
206                         <!--
207                         This tells IdPs where and how to send authentication assertions. Mostly
208                         the SP will tell the IdP what location to use in its request, but this
209                         is how the IdP validates the location and also figures out which
210                         SAML profile to use.
211                         -->
212                     <AssertionConsumerService index="1" isDefault="true"
213                         Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
214                         Location="https://sp.example.org/Shibboleth.sso/SAML/POST"/>
215                     <AssertionConsumerService index="2"
216                         Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
217                         Location="https://sp.example.org/Shibboleth.sso/SAML/Artifact"/>
218                 </SPSSODescriptor>
219                 
220         </EntityDescriptor>
221
222 </EntitiesDescriptor>