I-Service Endpoint Definitions
Contents
This page provides an easy reference to the service endpoint type definitions and other i-service metadata needed to configure XRDS documents for the i-services specified on this ISS wiki.
Note: the ISS wiki team will attempt to keep track of other new XRDS service endpoint type definitions besides those defined on this wiki. However given that these can evolve organically, we can't promise that this is an exhaustive list. There is also an effort underway to consolidate XRDS service types on an XRDS page on Wikipedia.
1. OpenID Authentication Service
Element |
Required/Optional |
Element Value |
Attribute Value |
ProviderID |
Recommended |
I-Number of Service Provider |
N/A |
Service Type |
Required for OpenID 1.0 |
http://openid.net/signon/1.0 |
select="true" |
Service Type |
Required for OpenID 1.1 |
http://openid.net/signon/1.1 |
select="true" |
Service Type |
Required for OpenID 2.0 - Standard sign-on mode |
http://specs.openid.net/auth/2.0/signon |
select="true" |
Service Type |
Required for OpenID 2.0 - OP identifier mode |
http://specs.openid.net/auth/2.0/server |
select="true" |
Path |
Optional - see note below |
N/A |
N/A |
Media Type |
Optional |
N/A |
N/A |
URI |
Required |
URI to OpenID server |
append="qxri" |
openid:Delegate |
Optional in OpenID 1.x |
Local identifier used by service provider |
N/A |
LocalID |
Optional in OpenID 2.0 |
Local identifier used by service provider |
N/A |
For authoritiative data and examples, see section 2 of the latest specification on the OpenIdAuthnService page.
The Service Types for OpenID 2.0, including backwards compatability with 1.1 and 1.0, are listed in the [http://openid.net/specs/openid-authentication-2_0.html#discovery discovery section of the OpenID Authentication 2.0 specification].
The XML namespace for the openid:Delegate element is http://openid.net/xmlns/1.0 .
Use of the openid:Delegate element in OpenID 1.1 was replaced by the native XRD LocalID element in OpenID 2.0.
A Path element of <Path select="true">(+login)<Path> is recommended but not required. If this element is included, a second <Path match="null"/> element is also recommended.
Using the append attribute with a value of "qxri" on the URI element is STRONGLY RECOMMENDED as a best practice for all i-brokers supporting OpenID, as this is the only way that the i-broker (acting as an OpenID Provider, or OP) can receive the i-name the user logged in with from the Relying Party (RP). The OpenID protocol sends the CanonicalID i-number and not the i-name, however if the OP uses append="qxri" (and the RP implements XRI resolution correctly), the OP will still receive the i-name as part of the incoming OpenID authentication request URL.
The Delegate tag is optional, and may be used with legacy providers which do not recognize their users by their i-name. For example:
<URI>http://www.livejournal.com/openid/server.bml</URI> <openid:Delegate>http://frank.livejournal.com/</openid:Delegate>For more information, see [http://www.openidenabled.com/openid/using-openid-with-yadis/ Using OpenID with Yadis].
2. Contact Service
Element |
Required/Optional |
Element Value |
Attribute Value |
ProviderID |
Recommended |
I-Number of Service Provider |
N/A |
Service Type #1 |
Required |
xri://+i-service*(+contact)*($v*1.0) |
select="true" |
Service Type #2 |
Required |
Empty element |
match="null" |
Path #1 |
Required |
(+contact) |
select="true" |
Path #2 |
Required |
Empty element |
match="null" |
Media Type |
See note below |
Empty element |
match="default" |
URI |
Required |
URI to contact page |
append="qxri" |
For authoritiative data and examples, see section 2 of the latest specification on the ContactService page.
The Media Type element is only required if another Media Type element is also specified for this endpoint; otherwise it is optional because the implied value if no Media Type element is present is match="default".
These settings will make Contact Service the default service endpoint if the QXRI has no service type and no path. For example, http://xri.net/=person will be automatically redirected to the contact service endpoint because the QXRI "=person" has no service type and no path.
- Use of an HTTPS URI is optional but recommended.
Recommended third-level DNS hosting name: contact, e.g. contact.example.com.
3. Forwarding Service
Element |
Required/Optional |
Element Value |
Attribute Value |
ProviderID |
Optional |
I-Number of Service Provider |
N/A |
Service Type #1 |
Required |
xri://+i-service*(+forwarding)*($v*1.0) |
select="true" |
Service Type #2 |
Required |
Empty element |
match="null" |
Path #1 |
Recommended |
(+index) |
select="true" |
Path #2 |
Recommended |
Empty element |
match="default" |
Media Type |
See note below |
Empty element |
match="default" |
URI |
Required |
URI to forwarding service |
append="qxri" |
For authoritiative data and examples, see section 2 of the latest specification on the ForwardingService page.
The Media Type element is only required if another Media Type element is also specified for this endpoint; otherwise it is optional because the implied value if no Media Type element is present is match="default".
- These settings will cause Forwarding Service to be selected if: a) no Service Type is specified, b) the path is not null (if the path is null, Contact Service will be selected), and c) the path does not match any other service endpoint.
Recommended third-level DNS hosting name: forwarding, e.g. forwarding.example.com.
4. SAML Authentication Service
Element |
Required/Optional |
Element Value |
Attribute Value |
ProviderID |
Required |
I-Number of Authn Service Provider (see note below) |
N/A |
Service Type |
Required |
xri://+i-service*(+authn)*(+saml)*($v*1.0) |
select="true" |
Path |
Optional - see note below |
N/A |
N/A |
Media Type |
Optional |
N/A |
N/A |
URI |
Required |
URI to ISSO configuration page |
append="qxri" |
- The ProviderID MUST be the XRI of the authentication service provider that offers the SAML metadata service (see below) for the SAML authentication endpoint.
A Path element of <Path select="true">(+login)<Path> is recommended but not required. If this element is included, a second <Path match="null"/> element is also recommended. Note that if both OpenID and SAML service endpoints are present, a priority attribute should be used to indicate which is preferred for login.
- An HTTPS URI is REQUIRED if replayable credentials (such as passwords) are used for authentication.
Recommended third-level DNS hosting name: authn, e.g. authn.example.com.
5. SAML Metadata Service
SPECIAL NOTE: The beta version of this service uses separate SAML metadata endpoints for each i-service that requires SAML authn. Until codebases are upgraded, you may see XRDS documents with multiple SAML metadata endpoints.
Element |
Required/Optional |
Element Value |
Attribute Value |
ProviderID |
Optional |
I-Number of Service Provider |
N/A |
Service Type |
Required |
xri://+i-service*(+metadata)*(+saml)*($v*1.0) |
select="true" |
Path |
Required |
(+saml.metadata) |
select="true" |
Media Type |
Optional |
N/A |
N/A |
URI |
Required |
URI to IssoService/SamlMetadata document |
append="none" |
- This service should be hosted at the same DNS endpoint (and use the same HTTPS cert) as SAML Authentication Service.
- This service endpoint is used exclusively to retreive SAML metadata documents.
- An HTTPS URI is REQUIRED.