The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Metadata Administration

This page is for metadata administrators responsible for creating and maintaining SAML metadata on behalf of their organization. For a high-level overview of InCommon Federation metadata, please visit our web site.

Metadata Elements

Entity ID

The first step is to choose an entity ID for each of the SAML entities to be deployed. Please choose these names with care, because once you publish them, it will be difficult to change the names later on.

Scope

The IdP uses a scope to qualify certain user attributes. Scoped attributes are globally unique provided the scope is carefully chosen. By convention, the scope is the primary DNS domain of the IdP.

User Interface Elements

User Interface Elements

Requested Attributes

Requested Attributes

X.509 Certificates

A SAML entity uses public key cryptography to secure the data transmitted to trusted partners. Public keys are published in the form of X.509 Certificates in Metadata whereas the corresponding private keys are held securely by the SAML entity. These keys are used for message-level signing and encryption, and to create secure channels for transporting SAML messages.

SSL/TLS Certificates

In addition to message-level signing and encryption, X.509 certificates in metadata are used for SSL/TLS back-channel SOAP exchanges, typically on a nonstandard port such as 8443. These certificates are not the same as and have nothing to do with SSL/TLS certificates used for browser-facing transactions over port 443. The latter certificates are not contained in metadata.

Any certificates you want to use with your SAML software are uploaded via the administrative interface. Typically only one certificate is needed but multiple certificates may be uploaded and used as needed. For instance, multiple certificates are used to facilitate the controlled rollover of expired certificates. For detailed guidelines on the rollover process, refer to the Certificate Migration topic.

Discovery

(refer to the User Interface Elements for IdPs)

Discovery Endpoints at the SP

<idpdisc:DiscoveryResponse>

http://wiki.oasis-open.org/security/IdpDiscoSvcProtonProfile

Service Endpoints

(address the namespace issue)

Service Endpoints at the IdP

<md:SingleSignOnService>

Service Endpoints at the SP

<md:AssertionConsumerService>

Contacts

<md:ContactPerson>

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels