View Source

Every Identity Provider's metadata will contain an <IDPSSODescriptor> element, which contains multiple pieces of information about the IdP, including:

errorURL
protocolSupportEnumeration
<Scope>
<UIInfo>
<KeyDescriptor>
<SingleSignOnService>

Note that errorURL and protocolSupportEnumeration are not elements in the metadata schema. they are, rather, XML attributes in the <IDPSSODescriptor> element. See below.

Example:

<IDPSSODescriptor errorURL="https://webauth.example.edu/support.html"

protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">

  <Extensions>
    <shibmd:Scope regexp="false">example.edu</shibmd:Scope>
    <mdui:UIInfo>
      <mdui:DisplayName xml:lang="en">Example University</mdui:DisplayName>
      <mdui:InformationURL xml:lang="en">https://webauth.example.edu/info.html</mdui:InformationURL>
      <mdui:PrivacyStatementURL xml:lang="en">https://webauth.example.edu/disclosurepolicy.pdf</mdui:PrivacyStatementURL>
      <mdui:Logo height="83" width="83" xml:lang="en">https://webauth.example.edu/mdui.png</mdui:Logo>
    </mdui:UIInfo>
  </Extensions>
  <KeyDescriptor use="signing">
    <ds:KeyInfo>
      <!-- A standard OASIS <KeyInfo> element, as defined in

XML Signature Syntax and Processing -->


    </ds:KeyInfo>
  </KeyDescriptor>
  <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://webauth.service.example.edu/idp/profile/Shibboleth/SSO"/>
  <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://webauth.service.example.edu/idp/profile/SAML2/Redirect/SSO"/>
  <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://webauth.service.example.edu/idp/profile/SAML2/POST/SSO"/>
  <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://webauth.service.example.edu/idp/profile/SAML2/POST-SimpleSign/SSO"/>
  <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://webauth.service.example.edu/idp/profile/SAML2/SOAP/ECP"/>

</IDPSSODescriptor>

For more information, see saml-metadata-idp-sso-settings.

Get help

Can't find what you are looking for?