| Warning | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
We have exciting news! An updated InCommon Federation wiki is now available. Please visit the new InCommon Federation Library for updated content. This wiki is preserved for historical records only. It will no longer be updated. We invite you to come check out the new Library. Don't forget to update your bookmarks accordingly.
|
Metadata Administration
This page is for metadata site administrators responsible for creating and maintaining SAML metadata on behalf of their organization. For a high-level overview of InCommon Federation metadata, please visit our web site.
Metadata Elements
Entity ID
The first step is to choose an entity ID for each of the SAML entities to be deployed. Please choose these names with care, because once you publish them, it will be difficult to change the names later on.
Scope
TBD
User Interface Elements
https://spaces.at.internet2.edu/display/InCCollaborate/UIInfo
Requested Attributes
https://spaces.at.internet2.edu/display/InCCollaborate/RequestedAttributes
X.509 Certificates
A SAML entity uses public key cryptography to secure the data transmitted to trusted partners. Public keys are published in the form of X.509 Certificates in Metadata. The corresponding private keys are held securely by the SAML entity. These keys are used for message-level signing and encryption, and to create secure channels for transporting SAML messages.
| Info | ||
|---|---|---|
| ||
X.509 certificates in metadata are used for SSL/TLS back-channel SOAP exchanges, typically on a port like 8443. These certificates are not the same as and have nothing to do with SSL/TLS certificates used for browser-facing transactions over port 443. The latter certificates are not contained in metadata. |
Any certificates you want to use with your SAML software are uploaded via the administrative interface. You can upload multiple certificates for different purposes or to facilitate the controlled rollover of expired certificates. For detailed guidelines on the rollover process, refer to the Certificate Migration topic.
Discovery
(refer to the User Interface Elements for IdPs)
Discovery Endpoints at the SP
<idpdisc:DiscoveryResponse>
Service Endpoints
(address the namespace issue)
Service Endpoints at the IdP
<md:SingleSignOnService>
Service Endpoints at the SP
<md:AssertionConsumerService>
Contacts
.
The metadata submitted by the site administrator is vetted and approved by the InCommon Registration Authority (RA). Since the SAML protocol depends on the proper use of metadata, the RA checks the correctness and integrity of what is submitted by the site administrator. In particular, the RA checks that the entity ID and endpoints in metadata meet certain basic requirements.
InCommon also incorporates metadata administered by other federations. See Interfederation and eduGAIN for more information.
Federation Manager
A web interface called the Federation Manager is used to administer InCommon metadata. The interface supports both IdP and SP metadata. The elements of each are referenced in the following sections.
IdP Metadata Elements
| Div | ||
|---|---|---|
| ||
|
The following elements are called out in IdP metadata.
- Entity ID
- Scope
- X.509 Certificates
- User Interface Elements
- Error Handling URL
- SAML Protocol Endpoints
- Contacts
For IdP deployments based on the Shibboleth software, there is valuable information in the Shibboleth wiki regarding metadata for the Shibboleth IdP.
For a discussion of the desirability of registering test IdPs in metadata, see Test IdPs in Metadata.
SP Metadata Elements
| Div | ||
|---|---|---|
| ||
|
The following elements are called out in SP metadata.
- Entity ID
- X.509 Certificates
- User Interface Elements
- Requested Attributes
- SAML Protocol Endpoints
- Contacts
For SP deployments based on the Shibboleth software, there is valuable information in the Shibboleth wiki regarding metadata for the Shibboleth SP.
...
| Attachments |
|---|
<md:ContactPerson>