SAML 2.0 Metadata Documents
Contents
1. Introduction
This page provides a template for the SAML 2.0 metadata document needed by i-brokers who accept SAML 2.0 IssoService requests as an identity provider (IDP) and also by the relying parties (RPs, also called SPs) that need to receive SAML 2.0 IssoService responses.
2. About SAML 2.0 Metadata Documents
The normative specification for SAML 2.0 metadata documents is PeterDavis please provide authoritatives reference here.
- As long as the same trust elements (signing keys and key info) are used, only one SAML 2.0 metadata document is needed for an i-broker or any other entity participating in an SAML 2.0 ISSO transaction regardless of whether it is acting as an identity provider (IDP) or a relying party (RP).
- This SAML 2.0 metadata document can serve different i-service endpoints by publishing all the service endpoints in the document and assigning index values that are used in the SAML 2.0 requests and responses.
3. Obtaining the SAML Metadata Document
This SAML 2.0 metadata document is discovered in one of two ways.
3.1. Dereferencing an XRI
This method is used when the service provider is identified with an XRI:
- Select a service endpoint within an XRDS document.
- Select its child ProviderID element.
- If the value is an XRI, resolve this XRI to the provider's XRDS document.
Select the SAML 2.0 metadata service endpoint as defined in IserviceEndpointDefinitions.
- Do an HTTPS GET on the value of the URI element for this service endpoint.
3.2. Dereferencing an HTTP(S) URI
This method is defined in the SAML 2.0 Metadata specification and involves either:
- Doing an HTTP(S) GET on the URI.
- Using DDDS.
4. Template
Following is a template SAML 2.0 metadata document.
Note to PeterDavis: this needs further editing to use as a template. Also, it needs an example of using index values for multiple i-service request and response endpoints.
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
entityID="xri://!!1003">
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
[...]
</Signature>
<IDPSSODescriptor WantAuthnRequestsSigned="true"
validUntil="2006-05-01T00:00:00Z"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<ArtifactResolutionService index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://example.biz/SAML/artifact"/>
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://example.biz/SAML/logout"/>
<SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:Redirect"
Location="https://example.biz/SAML/logout"/>
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://example.biz/SAML/authNrequest"/>
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:Redirect"
Location="https://example.biz/SAML/authNrequest"/>
</IDPSSODescriptor>
<SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
AuthnRequestsSigned="true"
WantAssertionsSigned="true" validUntil="2006-05-01T00:00:00Z">
<AssertionConsumerService index="0"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://saml.endpoint.example.org/authNresponse"></AssertionConsume
rService>
</SPSSODescriptor>
<Organization>
<OrganizationName xml:lang="en-US">Example i-Broker</OrganizationName>
<OrganizationDisplayName xml:lang="en-US">Example i-Broker, Inc.</OrganizationDisplayName>
<OrganizationURL
xml:lang="en-US">http://example.biz/</OrganizationURL>
</Organization>
</EntityDescriptor>
5. Template Instructions
Following are instructions on filling out an instance of this template.
5.1. EntityDescriptor entityID Element
Instructions here.
PeterDavis to complete for additional elements/attributes as needed.