Saturday, April 18, 2015

SAML Service Provider Metadata File

SAML Service Provider meta data specifies (among other):

  • The EntityID (a unique ID that distinguishes between the different Service Providers registered with an Identity Provider)
  • Public part of certificates used for signing/encrypting requests
  • URLs for different services (SingleLogoutService, AssertionConsumerService, etc) exposed by the Service Provider as well as for different bindings (HTTP-POST,HTTP-Redirect, etc); the format of URLs is Service Provider specific

Sample meta data:

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="urn_my_id" entityID="urn:my:id">
    <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:KeyDescriptor use="signing">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>
                        MIIEEDCCAvigAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBhTELMAkGA1UEBhMCUk8x
...
                        y3FIAikcj/fdYo1K9d+PrL6JoMiQGIglDLhed8ZcpBqC64mG
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:KeyDescriptor use="encryption">
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <ds:X509Data>
                    <ds:X509Certificate>                        
                        MIIEEDCCAvigAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBhTELMAkGA1UEBhMCUk8x
...
                        y3FIAikcj/fdYo1K9d+PrL6JoMiQGIglDLhed8ZcpBqC64mG
                    </ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </md:KeyDescriptor>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://server.domain.local:9443/path_to_logout"/>
        <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://server.domain.local:9443/path_to_logout"/>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://server.domain.local:9443/path_to_asertion_service" index="0" isDefault="true"/>
    </md:SPSSODescriptor>
</md:EntityDescriptor>
U0FNTCBTZXJ2aWNlIFByb3ZpZGVyIG1ldGEgZGF0YSBzcGVjaWZpZXMgKGFtb25nIG90aGVyKToNCiogVGhlIEVudGl0eUlEIChhIHVuaXF1ZSBJRCB0aGF0IGRpc3Rpbmd1aXNoZXMgYmV0d2VlbiB0aGUgZGlmZmVyZW50IFNlcnZpY2UgUHJvdmlkZXJzIHJlZ2lzdGVyZWQgd2l0aCBhbiBJZGVudGl0eSBQcm92aWRlcikNCiogUHVibGljIHBhcnQgb2YgY2VydGlmaWNhdGVzIHVzZWQgZm9yIHNpZ25pbmcvZW5jcnlwdGluZyByZXF1ZXN0cw0KKiBVUkxzIGZvciBkaWZmZXJlbnQgc2VydmljZXMgKFNpbmdsZUxvZ291dFNlcnZpY2UsIEFzc2VydGlvbkNvbnN1bWVyU2VydmljZSwgZXRjKSBleHBvc2VkIGJ5IHRoZSBTZXJ2aWNlIFByb3ZpZGVyIGFzIHdlbGwgYXMgZm9yIGRpZmZlcmVudCBiaW5kaW5ncyAoSFRUUC1QT1NULEhUVFAtUmVkaXJlY3QsIGV0Yyk7IHRoZSBmb3JtYXQgb2YgVVJMcyBpcyBTZXJ2aWNlIFByb3ZpZGVyIHNwZWNpZmljDQoNClNhbXBsZSBtZXRhIGRhdGE6DQpgYGB4bWwNCjw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IlVURi04Ij8+DQo8bWQ6RW50aXR5RGVzY3JpcHRvciB4bWxuczptZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm1ldGFkYXRhIiBJRD0idXJuX215X2lkIiBlbnRpdHlJRD0idXJuOm15OmlkIj4NCgk8bWQ6U1BTU09EZXNjcmlwdG9yIEF1dGhuUmVxdWVzdHNTaWduZWQ9InRydWUiIFdhbnRBc3NlcnRpb25zU2lnbmVkPSJmYWxzZSIgcHJvdG9jb2xTdXBwb3J0RW51bWVyYXRpb249InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI+DQoJCTxtZDpLZXlEZXNjcmlwdG9yIHVzZT0ic2lnbmluZyI+DQoJCQk8ZHM6S2V5SW5mbyB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+DQoJCQkJPGRzOlg1MDlEYXRhPg0KCQkJCQk8ZHM6WDUwOUNlcnRpZmljYXRlPg0KCQkJCQkJTUlJRUVEQ0NBdmlnQXdJQkFnSUJCVEFOQmdrcWhraUc5dzBCQVFzRkFEQ0JoVEVMTUFrR0ExVUVCaE1DVWs4eA0KLi4uDQoJCQkJCQl5M0ZJQWlrY2ovZmRZbzFLOWQrUHJMNkpvTWlRR0lnbERMaGVkOFpjcEJxQzY0bUcNCgkJCQkJPC9kczpYNTA5Q2VydGlmaWNhdGU+DQoJCQkJPC9kczpYNTA5RGF0YT4NCgkJCTwvZHM6S2V5SW5mbz4NCgkJPC9tZDpLZXlEZXNjcmlwdG9yPg0KCQk8bWQ6S2V5RGVzY3JpcHRvciB1c2U9ImVuY3J5cHRpb24iPg0KCQkJPGRzOktleUluZm8geG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPg0KCQkJCTxkczpYNTA5RGF0YT4NCgkJCQkJPGRzOlg1MDlDZXJ0aWZpY2F0ZT4gICAgICAgICAgICAgICAgICAgICAgICANCgkJCQkJCU1JSUVFRENDQXZpZ0F3SUJBZ0lCQlRBTkJna3Foa2lHOXcwQkFRc0ZBRENCaFRFTE1Ba0dBMVVFQmhNQ1VrOHgNCi4uLg0KCQkJCQkJeTNGSUFpa2NqL2ZkWW8xSzlkK1ByTDZKb01pUUdJZ2xETGhlZDhaY3BCcUM2NG1HDQoJCQkJCTwvZHM6WDUwOUNlcnRpZmljYXRlPg0KCQkJCTwvZHM6WDUwOURhdGE+DQoJCQk8L2RzOktleUluZm8+DQoJCTwvbWQ6S2V5RGVzY3JpcHRvcj4NCgkJPG1kOlNpbmdsZUxvZ291dFNlcnZpY2UgQmluZGluZz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmJpbmRpbmdzOkhUVFAtUE9TVCIgTG9jYXRpb249Imh0dHBzOi8vc2VydmVyLmRvbWFpbi5sb2NhbDo5NDQzL3BhdGhfdG9fbG9nb3V0Ii8+DQoJCTxtZDpTaW5nbGVMb2dvdXRTZXJ2aWNlIEJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW5nczpIVFRQLVJlZGlyZWN0IiBMb2NhdGlvbj0iaHR0cHM6Ly9zZXJ2ZXIuZG9tYWluLmxvY2FsOjk0NDMvcGF0aF90b19sb2dvdXQiLz4NCgkJPG1kOk5hbWVJREZvcm1hdD51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3M8L21kOk5hbWVJREZvcm1hdD4NCgkJPG1kOk5hbWVJREZvcm1hdD51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDp0cmFuc2llbnQ8L21kOk5hbWVJREZvcm1hdD4NCgkJPG1kOk5hbWVJREZvcm1hdD51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDpwZXJzaXN0ZW50PC9tZDpOYW1lSURGb3JtYXQ+DQoJCTxtZDpOYW1lSURGb3JtYXQ+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQ8L21kOk5hbWVJREZvcm1hdD4NCgkJPG1kOk5hbWVJREZvcm1hdD51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDpYNTA5U3ViamVjdE5hbWU8L21kOk5hbWVJREZvcm1hdD4NCgkJPG1kOkFzc2VydGlvbkNvbnN1bWVyU2VydmljZSBCaW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NUIiBMb2NhdGlvbj0iaHR0cHM6Ly9zZXJ2ZXIuZG9tYWluLmxvY2FsOjk0NDMvcGF0aF90b19hc2VydGlvbl9zZXJ2aWNlIiBpbmRleD0iMCIgaXNEZWZhdWx0PSJ0cnVlIi8+DQoJPC9tZDpTUFNTT0Rlc2NyaXB0b3I+DQo8L21kOkVudGl0eURlc2NyaXB0b3I+DQpgYGA=

No comments :

Post a Comment