Metadata Administration
This page is for site administrators responsible for creating and maintaining SAML metadata on behalf of their organization.
The metadata submitted by the site administrator is vetted and approved by the InCommon Registration Authority (RA). Since the security of the SAML protocol depends on the proper use of metadata, the RA checks the correctness and integrity of what is submitted by the site administrator. In particular, the RA checks that the certificates and endpoints in metadata meet certain basic requirements. For instance, all URIs in metadata are expected to be rooted in the primary DNS domain of the submitting organization. If not, a manual vetting process is triggered.
Federation Manager
A web interface called the Federation Manager is used to administer InCommon metadata. The interface supports both IdP and SP metadata. The elements of each are referenced in the following sections.
For reference, a sample interface for new IdPs is attached to this wiki page. Likewise a sample interface for new SPs is attached.
IdP Metadata Elements
The following elements are called out in IdP metadata.
- Entity ID
- Scope
- X.509 Certificates
- User Interface Elements
- Error Handling URL
- SAML Protocol Endpoints
- Contacts
For IdP deployments based on the Shibboleth software, there is valuable information in the shib wiki regarding metadata for the Shibboleth IdP.
SP Metadata Elements
The following elements are called out in SP metadata.
- Entity ID
- X.509 Certificates
- User Interface Elements
- Requested Attributes
- SAML Protocol Endpoints
- Contacts
For SP deployments based on the Shibboleth software, there is valuable information in the shib wiki regarding metadata for the Shibboleth SP.
InCommon Extension Schema
InCommon has defined a small set of extensions to SAML metadata where necessary. An XML extension schema is provided.