Fixed inconsistent shib metadata prefix.
[java-idp.git] / src / conf / example-metadata.xml
index c2ce775..5753951 100644 (file)
@@ -2,7 +2,7 @@
     xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
-    xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0"
+    xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
     xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata ../schemas/saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 ../schemas/shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# ../schemas/xmldsig-core-schema.xsd"
     Name="urn:mace:shibboleth:examples"
     validUntil="2010-01-01T00:00:00Z">
        requires metadata from its opposite in order to interact with it.
        Thus, your metadata describes you, and your partner(s)' metadata
        is fed into your configuration.
+       
+       The software components do not configure themselves using metadata
+       (e.g. the IdP does not configure itself using IdP metadata). Instead,
+       metadata about SPs is fed into IdPs and metadata about IdPs is fed into
+       SPs. Other metadata is ignored, so the software does not look for
+       conflicts between its own configuration and the metadata that might
+       be present about itself. Metadata is instead maintained based on the
+       external details of your configuration.
        -->
 
+       <EntityDescriptor entityID="https://idp.example.org/shibboleth">
        <!--
-       The entityID below looks like a location, but it's actually just a name.
+       The entityID above looks like a location, but it's actually just a name.
        Each entity is assigned a URI name. By convention, it will often be a
        URL, but it should never contain a physical machine hostname that you
        would not otherwise publish to users of the service. For example, if your
        of the real hostname when you assign an entityID. You should use a name
        like this even if you don't actually register the server in DNS using it.
        The URL does *not* have to resolve into anything to use it as a name.
+       The point is for the name you choose to be stable, which is why including
+       hostnames is generally bad, since they tend to change.
        -->
-       <EntityDescriptor entityID="https://idp.example.org/shibboleth">
                
                <!-- A Shib IdP contains this element with protocol support as shown. -->
                <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
                        <Extensions>
                                <!-- This is a Shibboleth extension to express attribute scope rules. -->
-                       <shib:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0">example.org</shib:Scope>
+                               <shibmd:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0">example.org</shibmd:Scope>
+                               <!-- This enables testing against Internet2's test site. -->
+                               <shibmd:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0">example.edu</shibmd:Scope>
                        </Extensions>
                        
                        <!--
                        One or more KeyDescriptors tell SPs how the IdP will authenticate itself. A single
-                       descriptor can be used for both signing and for server-TLS. You can place an
-                       X.509 certificate directly in this element to specify the exact public key certificate
-                       to use. The dates and other fields in the certificate are totally ignored.
+                       descriptor can be used for both signing and for server-TLS if its use attribute
+                       is set to "signing". You can place an X.509 certificate directly in this element
+                       to specify the exact public key certificate to use. This only reflects the public
+                       half of the keypair used by the IdP.
+                       
+                       When the IdP signs XML, it uses the private key included in its Credentials
+                       configuration element, and when TLS is used, the web server will use the
+                       certificate and private key defined by the web server's configuration.
+                       An SP will then try to match the certificates in the KeyDescriptors here
+                       to the ones presented in the XML Signature or SSL session.
+                       
+                       When an inline certificate is used, do not assume that an expired certificate
+                       will be detected and rejected. Often only the key will be extracted without
+                       regard for the certificate, but at the same time, it may be risky to include
+                       an expired certificate and assume it will work. Your SAML implementation
+                       may provide specific guidance on this.
                        -->
                        <KeyDescriptor use="signing">
                            <ds:KeyInfo>
@@ -64,25 +89,63 @@ jBp8wDQehvl6f0mzUg8vZ+lj8IJImG1cM9rJey1cPTFTkYqhNLI/fF/rMwLMttIY
                                </ds:X509Data>
                            </ds:KeyInfo>
                        </KeyDescriptor>
+
+                       <!-- This key is used by Internet2's test site. -->
+                       <KeyDescriptor use="signing">
+                               <ds:KeyInfo>
+                                       <ds:X509Data>
+                                               <ds:X509Certificate>
+MIIDADCCAmmgAwIBAgICBPIwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVT
+MRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAoT
+F1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJEaXZpc2lvbiBvZiBJ
+bmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYDVQQDExxIRVBLSSBTZXJ2ZXIgQ0Eg
+LS0gMjAwMjA3MDFBMB4XDTA1MDUyNjAxMDE1MloXDTA5MDcwNTAxMDE1MlowPjEL
+MAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjEbMBkGA1UEAxMSd2F5Zi5p
+bnRlcm5ldDIuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxpUs
+kDqIN54O/AbF9rVqe8FJ1q/Ep7edGGOQUjlnt2c2AyVuvveSfW/Hh82DjdF0HMaW
+C5kv/ZInBLi4kO6Xx2EjPijZmK11WxHx+WbhgCziY4KzetL3XT63QdCSSQVnaEJV
+oM9yWsOOHpeWaFiX2alAfkYbCVt9kQiB2amyCuwcOwPWh0Saf7UTEyXoE9IMNWUz
+oaydiwm6TH2zJ7ZNMogeL14o5Fv7I6znKwVGvqrz6iIGWTI7v/ZmnF/jwyW4GOdS
+fX7s/G+M6uSndSM5si+s7iE+MdtP0qZ2M3xd4zWSpYTWRnq3uVMc9w04mF5LZM5q
+B8ktgtaTLS5X2sWv6QIDAQABox0wGzAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF
+oDANBgkqhkiG9w0BAQQFAAOBgQBDiDqvFbuhMMxAQ89CNBFLiXkcMLrX2Ht96Zux
+JfS8fAx/Obbz5im1jK7peLhFr/9KgLtAkoz4aWtBL+qWcL3a1VYTu9H3Q2w9QbV2
+rxmbK0h8tw6qTA+F4FrErGufQv+kEmm1WRXXeyqEcsadZpsXauRD8iraq9f5WrLX
+AtThLg==
+                                               </ds:X509Certificate>
+                                       </ds:X509Data>
+                               </ds:KeyInfo>
+                       </KeyDescriptor>
                        
                        <!-- This tells SPs where/how to resolve SAML 1.x artifacts into SAML assertions. -->
                        <ArtifactResolutionService index="1"
                                Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
-                               Location="https://idp.example.org:8443/shibboleth/Artifact"/>
+                               Location="https://idp.example.org:8443/shibboleth-idp/Artifact"/>
+
+                       <!-- This enables testing against Internet2's test site. -->
+                       <ArtifactResolutionService index="2"
+                               Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
+                               Location="https://wayf.internet2.edu:8443/shibboleth-idp/Artifact"/>
                        
                        <!-- This tells SPs that you support only the Shib handle format. -->
                        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
                        
                        <!-- This tells SPs how and where to request authentication. -->
                        <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
-                           Location="https://idp.example.org/shibboleth/SSO"/>
+                           Location="https://idp.example.org:8443/shibboleth-idp/SSO"/>
+
+                       <!-- This enables testing against Internet2's test site. -->
+                       <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
+                               Location="https://wayf.internet2.edu/shibboleth-idp/SSO"/>
                </IDPSSODescriptor>
                
                <!-- Most Shib IdPs also support SAML attribute queries, so this role is also included. -->
                <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
                        <Extensions>
                                <!-- This is a Shibboleth extension to express attribute scope rules. -->
-                       <shib:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0">example.org</shib:Scope>
+                               <shibmd:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0">example.org</shibmd:Scope>
+                               <!-- This enables testing against Internet2's test site. -->
+                               <shibmd:Scope xmlns:shib="urn:mace:shibboleth:metadata:1.0">example.edu</shibmd:Scope>
                        </Extensions>
                        
                        <!-- The certificate has to be repeated here (or a different one specified if necessary). -->
@@ -109,10 +172,41 @@ jBp8wDQehvl6f0mzUg8vZ+lj8IJImG1cM9rJey1cPTFTkYqhNLI/fF/rMwLMttIY
                            </ds:KeyInfo>
                        </KeyDescriptor>
 
+                       <!-- This key is used by Internet2's test site. -->
+                       <KeyDescriptor use="signing">
+                               <ds:KeyInfo>
+                                       <ds:X509Data>
+                                               <ds:X509Certificate>
+MIIDADCCAmmgAwIBAgICBPIwDQYJKoZIhvcNAQEEBQAwgakxCzAJBgNVBAYTAlVT
+MRIwEAYDVQQIEwlXaXNjb25zaW4xEDAOBgNVBAcTB01hZGlzb24xIDAeBgNVBAoT
+F1VuaXZlcnNpdHkgb2YgV2lzY29uc2luMSswKQYDVQQLEyJEaXZpc2lvbiBvZiBJ
+bmZvcm1hdGlvbiBUZWNobm9sb2d5MSUwIwYDVQQDExxIRVBLSSBTZXJ2ZXIgQ0Eg
+LS0gMjAwMjA3MDFBMB4XDTA1MDUyNjAxMDE1MloXDTA5MDcwNTAxMDE1MlowPjEL
+MAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjEbMBkGA1UEAxMSd2F5Zi5p
+bnRlcm5ldDIuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxpUs
+kDqIN54O/AbF9rVqe8FJ1q/Ep7edGGOQUjlnt2c2AyVuvveSfW/Hh82DjdF0HMaW
+C5kv/ZInBLi4kO6Xx2EjPijZmK11WxHx+WbhgCziY4KzetL3XT63QdCSSQVnaEJV
+oM9yWsOOHpeWaFiX2alAfkYbCVt9kQiB2amyCuwcOwPWh0Saf7UTEyXoE9IMNWUz
+oaydiwm6TH2zJ7ZNMogeL14o5Fv7I6znKwVGvqrz6iIGWTI7v/ZmnF/jwyW4GOdS
+fX7s/G+M6uSndSM5si+s7iE+MdtP0qZ2M3xd4zWSpYTWRnq3uVMc9w04mF5LZM5q
+B8ktgtaTLS5X2sWv6QIDAQABox0wGzAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF
+oDANBgkqhkiG9w0BAQQFAAOBgQBDiDqvFbuhMMxAQ89CNBFLiXkcMLrX2Ht96Zux
+JfS8fAx/Obbz5im1jK7peLhFr/9KgLtAkoz4aWtBL+qWcL3a1VYTu9H3Q2w9QbV2
+rxmbK0h8tw6qTA+F4FrErGufQv+kEmm1WRXXeyqEcsadZpsXauRD8iraq9f5WrLX
+AtThLg==
+                                               </ds:X509Certificate>
+                                       </ds:X509Data>
+                               </ds:KeyInfo>
+                       </KeyDescriptor>
+                       
                        <!-- This tells SPs how and where to send queries. -->
                        <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
-                           Location="https://idp.example.org:8443/shibboleth/AA"/>
-                           
+                           Location="https://idp.example.org:8443/shibboleth-idp/AA"/>
+
+                       <!-- This enables testing against Internet2's test site. -->
+                       <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
+                               Location="https://wayf.internet2.edu:8443/shibboleth-idp/AA"/>
+                       
                        <!-- This tells SPs that you support only the Shib handle format. -->
                        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
                </AttributeAuthorityDescriptor>
@@ -138,9 +232,21 @@ jBp8wDQehvl6f0mzUg8vZ+lj8IJImG1cM9rJey1cPTFTkYqhNLI/fF/rMwLMttIY
                
                        <!--
                        One or more KeyDescriptors tell IdPs how the SP will authenticate itself. A single
-                       descriptor can be used for both signing and for client-TLS. You can place an
-                       X.509 certificate directly in this element to specify the exact public key certificate
-                       to use. The dates and other fields in the certificate are totally ignored.
+                       descriptor can be used for both signing and for client-TLS if its use attribute
+                       is set to "signing". You can place an X.509 certificate directly in this element
+                       to specify the exact public key certificate to use. This only reflects the public
+                       half of the keypair used by the IdP.
+                       
+                       The SP uses the private key included in its Credentials configuration element
+                       for both XML signing and client-side TLS. An IdP will then try to match the
+                       certificates in the KeyDescriptors here to the ones presented in the XML
+                       Signature or SSL session.
+                       
+                       When an inline certificate is used, do not assume that an expired certificate
+                       will be detected and rejected. Often only the key will be extracted without
+                       regard for the certificate, but at the same time, it may be risky to include
+                       an expired certificate and assume it will work. Your SAML implementation
+                       may provide specific guidance on this.
                        -->
                        <KeyDescriptor use="signing">
                            <ds:KeyInfo>
@@ -176,10 +282,11 @@ Yt0LOC4i/8fpCqcHaHVNKvgWipNyEXr6r0nia5NmmrM7I5SQMM2VZv2G4c/KogBe
                        -->
                    <AssertionConsumerService index="1" isDefault="true"
                        Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
-                       Location="https://sp.example.org/Shibboleth.sso/SAML/POST"/>
+                       Location="https://sp.example.org:9443/shibboleth-sp/Shibboleth.sso/SAML/POST"/>
                    <AssertionConsumerService index="2"
                        Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
-                       Location="https://sp.example.org/Shibboleth.sso/SAML/Artifact"/>
+                       Location="https://sp.example.org:9443/shibboleth-sp/Shibboleth.sso/SAML/Artifact"/>
+
                </SPSSODescriptor>
                
        </EntityDescriptor>