IDP meta说明文档

MetadataForIdP

元数据 话题涵盖了任何实体的基本结构。这里主要说的是IDP部分的。关于怎么创建IDP的元数据。参考SP的构建-> here.

Shibboleth特别提示

如果是第一次开始, IDP在安装过程中生成一个初始的元数据文件，并被拷贝到 metadata/idp-metadata.xml. 他包含entityID和安装过程中生成的密钥。你需要需要进行配置的时候，对他进行修改就可以了。

基本结构

IdP 元数据包含在 和

中。 你必须要包括正确的支持协议类型（protocolSupportEnumeration） 来反映出IDP支持的协议族, 真如meta中提到的一样。如果没能这么做，可能会导致SP不能正确识别IDP。

使用 角色主要是兼容性的要求。用来支持遗留的或者其他的依赖于属性的SP。在多数情况下，多数的角色内容在二者之间是一致的。

IDP角色通常包括下面描述性信息: IDp用来认证和加密的公钥。 ? 各种中来交互的终端

? 明确支持的标示符格式 if any ? 明确支持的 属性, if any

?

所有信息出现的顺序是有意义的, 你可以参考schema。大多数情况下，元素按照下面顺序出现。

对于来说:

? ? ? ? ? ?

(can be omitted, but rarely)

(only needed if supporting response by artifact)

(if any) (if any)

(always at least one)

(rare today, but may be reasonable to include)

对于 来说:

(can be omitted, but rarely) ? (always at least one) ? (if any)

? (rare today, but may be reasonable to include)

?

密钥

参考 MetadataKeyDescriptor.

Shibboleth-Specific Tip

The keys you identify in the metadata MUST match the keys you configure into the IdP as [credentials]. If they don't match, SPs will generally be unable to accept assertions from or make queries to the IdP.

Artifact Resolution

SAML包含这样一种能力：通过依赖重定向包含一个简单的字符串成为“artifact”来使得consuming 网站可以拉取完整的信息。他更多的用于IdP->SP 方向,所以，IDP需要支持，有些IDP可能需要支持SOAP终端来实现对artifact->message 的支持.

Shibboleth-特别提示

The Location attribute of these endpoints is derived from the

elements defined in the IdP's handler.xml file. As with all IdP profile handlers that rely on SOAP, the locations will typically be of the form https://hostname:8443 + servlet context + \child element in the profile handler configuration.

The elements must also include a Binding attribute, which can be copied directly from the profile handler's inboundBinding attribute.

退出

If your IdP supports SAML 2.0 Single Logout, you will need to include one or more endpoint elements in the metadata. Shibboleth-Specific Tip

The Shibboleth IdP software does not currently support this feature.

文档化标示符

An IdP can identify specific \supports by listing each supported Format URI inside a element.

Shibboleth-Specific Tip

This isn't used at all by the Shibboleth SP software, and does not impact the IdP's own processing.

单点登录服务

IDP通过包含一个或多个 终端支持单点登录。这些是SP（或者网站自己的行为）通过特定的协议将用户定向到IDP的地址。 Shibboleth-特别提示

这些地址属性是通过在handler.xml 中的节点推理而来的。因为所有IDP处理器，地址通常都是 https://hostname + servlet context + \其中path是有handler配置中的决定的。

该节点必须绑定一个Bingding 属性，可以直接从handler中的 inbounding属性中拷贝过来。

属性服务

IdPs that support attribute queries document this by including the additional role in their metadata containing one or more endpoint elements. These are the SOAP endpoints to which SPs or other software may send SAML attribute queries.

Shibboleth-Specific Tip

The Location attribute of these endpoints is derived from the

elements defined in the IdP's handler.xml file. As with all IdP profile handlers that rely on SOAP, the locations will typically be of the form https://hostname:8443 + servlet context + \child element in the profile handler configuration.

The elements must also include a Binding attribute, which can be copied directly from the profile handler's inboundBinding attribute.

文档化属性 Attributes

An IdP can enumerate the SAML attributes that it can supply (subject to policy) to SPs. This is essentially informational in most cases. Shibboleth-Specific Tip

This isn't used at all by the Shibboleth SP software, and does not impact the IdP's own processing.

样例

These examples are written to reflect the typical default configuration of a Shibboleth IdP, but obviously specifics can vary. Note that it's very important that what you support match what you advertise. For example, if you don't support single logout, don't advertise it.

Complete Example Supporting SAML 2.0 and the Shibboleth profile of SAML 1.1

entityID=\ validUntil=\>

protocolSupportEnumeration=%urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol\>

xmlns:ds=\>

... base64-encoded certificate elided ...

Location=\SOAP/ArtifactResolution\

Binding=\g\ index=\/>