Skip to main content
Skip table of contents

SAML integrations

SAML Integration Between Shibboleth and a Service Provider: Metadata File Guide

One of the most crucial steps in the SAML integration process between Shibboleth (Identity Provider) and an application (Service Provider, or SP) is the exchange of metadata files. This exchange allows both parties to recognize and trust each other.

Metadata File Availability

While most Identity Providers (IdPs) supply a metadata file by default, many Service Providers do not. In such cases, it becomes necessary to manually generate the SP metadata file. This document offers guidance and examples to help with that process.

Key Components of a SAML Metadata File

SAML metadata is structured in XML format, with specific sections detailing how the SP interacts with the IdP. Below are the most important elements:

  • EntityDescriptor Section
    Contains the entityID, a unique identifier for the Service Provider. This ID appears as the issuer in all messages sent from the SP to the IdP.

  • SPSSODescriptor Section
    Indicates whether authentication requests and assertions should be signed. This setting ensures secure communication.

  • KeyInfo Section
    Includes certificates used for signing or encryption, each wrapped in a KeyDescriptor tag. Though optional, this section is recommended—especially to ensure the Single Logout (SLO) functionality works properly.

  • NameIDFormat Section
    Specifies the formats supported for the NameID attribute (e.g., SAML 1.1 and SAML 2.0), which is used to identify the authenticating user.

  • AssertionConsumerService Section
    Details the binding method and URL where the SP receives the assertion. This tells the IdP where to send the authentication response.

Useful Tools and References

  • SAML Metadata Validator:
    Use an online XML Schema (XSD) validator to ensure your metadata is properly structured.
    Tool: Validate XML Against XSD Online

  • Metadata Construction Guide:
    Refer to the official guidelines provided by the OASIS Project for comprehensive information.
    Resource: OASIS Projects

Examples

Simple metadata with POST - no certificate present

CODE 
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="urn:amazon:webservices:clientvpn">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://127.0.0.1:35001" index="0"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>

Metadata with signing and encryption certificate and POST

CODE 
<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" cacheDuration="PT604800S" entityID="https://fortigate.veridium-dev.com:10443/remote/saml/metadata">
  <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIG....GzzA==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MII....EGzzA==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://fortigate.veridium-dev.com:10443/remote/saml/logout/"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
  <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress</md:NameIDFormat>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://fortigate.veridium-dev.com:10443/remote/saml/login/" index="1"/>
  </md:SPSSODescriptor>
</md:EntityDescriptor>

Simple metadata with Redirect - no certificate present

CODE 
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="urn:amazon:webservices:clientvpn">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://127.0.0.1:35001" index="0"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close