The requirements for service provider metadata for integrating with the Enterprise AuthenticationAuthentication Authentication is the act of determining that a person is who they claim to be. For more information, see our Concepts page. Service are below. The requirements provide a number of critical benefits including greatly reducing the time needed to configure the integration and allows service providers to be the owners of their own contact information.
| # | Title | User Story | Importance | Notes |
|---|---|---|---|---|
| 1 | Metadata has encryption certificate | This enables SAMLSAML Security Assertion Markup Language (SAML) is a standard, XML-based language for exchanging authentication and authorization data between identity providers and service providers. This standard is currently used by Enterprise Authentication (as well as hundreds of service providers that integrate with our identity provider). assertions to be encrypted within the SAML response. | Must have1. | See SP Signing and Back-Channel TLS Keys and Certificates . |
| 2 | Metadata has signing certificate | This ensures that communicating entities can verify each other’s identity programmatically. | Must have1. | See SP Encryption Key and Certificate . |
| 3 | Metadata passes schema validation | This ensures metadata interoperability as we process it and enables future extensibility for other metadata-managing services we may employ. | Must have | Customer metadata must be schema-valid according to https://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd.One way to validate is to use the XMLSecTool . |
| 4 | Metadata is signed | Provides additional security around the metadata source. | Nice to have | See Signature Verification . |
| 5 | Contacts and Organization | These contacts will be our source of contact information. This is how we will contact service owners regarding their SSOSSO Single Sign-On (SSO) is a service which allows a user to use one set of credentials to access multiple applications. integration with Enterprise Authentication. | Must have | See Contacts and Organizations . |
| 6 | Service Provider is part of a federation that we consume | This reduces the overhead of managing metadata. It also guarantees compliance with above requirements. | Nice to have | See https://www.incommon.org/federation/ |
| 7 | Metadata requests attributes | This supports metadata-driven configuration | Future enhancement |
Metadata correctness guidelines and examples can be found at https://shibboleth.atlassian.net/wiki/spaces/CONCEPT/pages/928645443/MetadataCorrectness.
An example of correct SAML Service Provider metadata can be found below:
<!--
This is example metadata only. Do *NOT* supply it as is without review,
and do *NOT* provide it in real time to your partners.
-->
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_704b290905168a2ef396515bbd747f8f708ae617" entityID="https://sp/shibboleth">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_704b290905168a2ef396515bbd747f8f708ae617">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>gtM96qHZFK5YHSlRy1ALfkcWluORgDWzTfPmoH/beJI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>ZV1n2mnSWyWSqBgIjmBLwCQqUy+P8/qSL/YHytQdSV3Gg4Ob+204Gknd4sMBCQ5j
ItW/XYWlOnPLJnCCL5by/7h88wyG1oDKJ338xoPN2PJHns+Nc9rM52fI0B+FV72k
mengyGy2GOzHukLC42alN2r7Yi5+e4yHdZCrWL8ehYGwCA2M5oR1MYK5bZ9NDjb9
2sYOTunj8T+vwRRPMA/dVgHPbyxQjIoMS2kE5Ux9nmAT7FwbWPCtPjx5RW2JDBk1
uXbC+N+TL+zmp5dJMBIaNYI++0WJsgy2znLvZnmsgZxuswnK4oEpoJk52BCplXUx
67kJQm9pktIbuLuHsenSGmuQa34ov7c7Z//Tc6V93bNKuakvAwAKgi0eyKt+zfXe
imRt0HMczkbOH5M1KvpG9zgRbFmlUfCi6WQBP94aVm6V9v7lYj40FhxZI1hKklF9
e919mKB3IIkqtjd+pMJQM6LkVvK8AmKTz7Dujm/JKut+ZXoVMsYHYItQURkTmML9</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyName>sp.testbed.local</ds:KeyName>
<ds:X509Data>
<ds:X509SubjectName>CN=sp.testbed.local</ds:X509SubjectName>
<ds:X509Certificate>MIID9zCCAl+gAwIBAgIJAMGsmas5mr4mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV
BAMTEHNwLnRlc3RiZWQubG9jYWwwHhcNMTkwNTA3MTg0MzE5WhcNMjkwNTA0MTg0
MzE5WjAbMRkwFwYDVQQDExBzcC50ZXN0YmVkLmxvY2FsMIIBojANBgkqhkiG9w0B
AQEFAAOCAY8AMIIBigKCAYEAxnfXGPiZWLZv6gOj1xCVH2Bis/CtLVrlztDLeISQ
1HVZUtKbIJwLSRIt8P+gYGucjdPNnNo42JZ1j2HOHzlgMjx0zgSuR0OQjw/WNym3
kgfAlRKBhwgcnDuY48c5syNFpu4ZH376sEziIevtL2FdkiryCsNGT5ETyCA+dG4c
TMhJwVq7FtLbYtzXqOvS7yooszYXO6oIOrc+gSCDz0kkGDHexx2fBJeDDpo9gPNd
YrQ/FzMrVltgZ99rXM7LKAOKEtG5E56Aau/7ey6Nween+jBqXdsfPsUS4hGOQOC0
mX3CO90cAh7o2ybLzHmzS4+jG5pgOCzPk0yBeSqqb7KvN8Am4Xa4d3wG2rizAxnP
MoUiVHukpl6wjs9E32fHWOvcfK6pl1DffSYzZ9P40Rn3KAyhsBAnkt7VxZR0W+Bf
1sTww2nWUHnmxSNu1Cku8qhp6S6AHq9hELUq3EfdON5le/DpZ6RWt1ukE0jNw4tc
uuBEx/kTmdF8JochRjtStdCVAgMBAAGjPjA8MBsGA1UdEQQUMBKCEHNwLnRlc3Ri
ZWQubG9jYWwwHQYDVR0OBBYEFN3EmV3JORDjW6XxwlgAAY7ruA5UMA0GCSqGSIb3
DQEBCwUAA4IBgQCuFJmf5gXBhEpEqliarPz9LeVeGwQtHp51pzLalLcqNEgTxvIC
H7Xw2sgC9AFs0jjVL+YBOpFT/Fzug4g7GHqT9tgmFi7KR0cq58Q265WjGIXk3iGb
Rxc8xqtH2NZ026uj9QEp9sQ4fJVAxE8qfEYOUOHPkzHozEySMUs5gWVSUKS/bqjP
GMbIsBu9/DrkCj7TkrUpdGPZI76BtSUUF6Yn1ne7YH6SPB4vk+UDhaZSOsjsVG09
l9aC7dmF5518sNeAjPcKbdARIAO5fCTdH0435jNJwUObGx2HWYsYp4XlA6Ycv775
+dgkzroPc6TO1rYHKj1lF9eZs6gkYGr+1M1k7VyW9jdwOmVE9SCHun6t+GdCEIZh
LCPp4U8C36II93y6IYDUkIKMzjeLZMHZvpswUzXK7/JUgDuZ3YGKA7zIT0rxSEZ/
YOdlVPNv3DF6isGsXugGVz8rULJ9xlxkvgjhKs1ZQvVe1jlkS9o9lGeKMXeSqUv8
Qa1VfyjCjlfwQXI=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
<alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
</md:Extensions>
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:Extensions>
<init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://sp:8443/Shibboleth.sso/Login"/>
<idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://sp:8443/Shibboleth.sso/Login" index="1"/>
</md:Extensions>
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>sp.testbed.local</ds:KeyName>
<ds:X509Data>
<ds:X509SubjectName>CN=sp.testbed.local</ds:X509SubjectName>
<ds:X509Certificate>MIID9zCCAl+gAwIBAgIJAMGsmas5mr4mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV
BAMTEHNwLnRlc3RiZWQubG9jYWwwHhcNMTkwNTA3MTg0MzE5WhcNMjkwNTA0MTg0
MzE5WjAbMRkwFwYDVQQDExBzcC50ZXN0YmVkLmxvY2FsMIIBojANBgkqhkiG9w0B
AQEFAAOCAY8AMIIBigKCAYEAxnfXGPiZWLZv6gOj1xCVH2Bis/CtLVrlztDLeISQ
1HVZUtKbIJwLSRIt8P+gYGucjdPNnNo42JZ1j2HOHzlgMjx0zgSuR0OQjw/WNym3
kgfAlRKBhwgcnDuY48c5syNFpu4ZH376sEziIevtL2FdkiryCsNGT5ETyCA+dG4c
TMhJwVq7FtLbYtzXqOvS7yooszYXO6oIOrc+gSCDz0kkGDHexx2fBJeDDpo9gPNd
YrQ/FzMrVltgZ99rXM7LKAOKEtG5E56Aau/7ey6Nween+jBqXdsfPsUS4hGOQOC0
mX3CO90cAh7o2ybLzHmzS4+jG5pgOCzPk0yBeSqqb7KvN8Am4Xa4d3wG2rizAxnP
MoUiVHukpl6wjs9E32fHWOvcfK6pl1DffSYzZ9P40Rn3KAyhsBAnkt7VxZR0W+Bf
1sTww2nWUHnmxSNu1Cku8qhp6S6AHq9hELUq3EfdON5le/DpZ6RWt1ukE0jNw4tc
uuBEx/kTmdF8JochRjtStdCVAgMBAAGjPjA8MBsGA1UdEQQUMBKCEHNwLnRlc3Ri
ZWQubG9jYWwwHQYDVR0OBBYEFN3EmV3JORDjW6XxwlgAAY7ruA5UMA0GCSqGSIb3
DQEBCwUAA4IBgQCuFJmf5gXBhEpEqliarPz9LeVeGwQtHp51pzLalLcqNEgTxvIC
H7Xw2sgC9AFs0jjVL+YBOpFT/Fzug4g7GHqT9tgmFi7KR0cq58Q265WjGIXk3iGb
Rxc8xqtH2NZ026uj9QEp9sQ4fJVAxE8qfEYOUOHPkzHozEySMUs5gWVSUKS/bqjP
GMbIsBu9/DrkCj7TkrUpdGPZI76BtSUUF6Yn1ne7YH6SPB4vk+UDhaZSOsjsVG09
l9aC7dmF5518sNeAjPcKbdARIAO5fCTdH0435jNJwUObGx2HWYsYp4XlA6Ycv775
+dgkzroPc6TO1rYHKj1lF9eZs6gkYGr+1M1k7VyW9jdwOmVE9SCHun6t+GdCEIZh
LCPp4U8C36II93y6IYDUkIKMzjeLZMHZvpswUzXK7/JUgDuZ3YGKA7zIT0rxSEZ/
YOdlVPNv3DF6isGsXugGVz8rULJ9xlxkvgjhKs1ZQvVe1jlkS9o9lGeKMXeSqUv8
Qa1VfyjCjlfwQXI=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>sp.testbed.local</ds:KeyName>
<ds:X509Data>
<ds:X509SubjectName>CN=sp.testbed.local</ds:X509SubjectName>
<ds:X509Certificate>MIID9zCCAl+gAwIBAgIJAJBhFGKTN2BDMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV
BAMTEHNwLnRlc3RiZWQubG9jYWwwHhcNMTkwNTA3MTg0MzM3WhcNMjkwNTA0MTg0
MzM3WjAbMRkwFwYDVQQDExBzcC50ZXN0YmVkLmxvY2FsMIIBojANBgkqhkiG9w0B
AQEFAAOCAY8AMIIBigKCAYEA2OrmrNNMFjNulgG7tP/Zjuz1bq4rvw9s4uqF37MK
owISobL4MW4yyBCAHsulsaWgeubtbf/N9Sk/LvCDxt4iYW7B9euB6CoNKAhLowrl
gps9OtNQQNqaDGnXr5mJEqRoBAHEem/swh27/ChnMDc5/O7Obwp3uKtBI7c++4ON
BK4F+0olhQjtioWXge22EswcpabBeCPYWIDbQ8+pZHvSQxgRU2BGwNlmXYPIIyem
Smz3u37MShtTtjX80iwHMYb3FZfLG6HcC9LltcYipB3juoVEa5uaYAX1qZ4EQxHo
/M7Gk39TLOeryuugfvumLU6dpsnNEGCA0y5y9qPD0cqGeceSG6+MUSp1U6UzOiqD
9SR1Jw2uu1HLssqgLkaSDNAP7LfGcsjQ0Io7Dxi8jCLy0vlo+HAyuhFM4b/p6FBh
6LVG8sZ3dFx+LbnSIX5TT2JJrSYtNqkAUWaWLj7VIit0r2zjwttLmWT5z5DIrdTN
ePz2zXAxE0N4sm7UzxalXNn/AgMBAAGjPjA8MBsGA1UdEQQUMBKCEHNwLnRlc3Ri
ZWQubG9jYWwwHQYDVR0OBBYEFOZZlnocOTOAJXdU762a+4goVdZKMA0GCSqGSIb3
DQEBCwUAA4IBgQAApvDeRUsiHvQ/sSVMxKzg10KbedQtRkSmMU7qYJxTBf0kmvlh
3ICBfjw58tmRtPcf6A/K5DwqJKmcOksZiaR5KADerB14TX//1uTqmk7hUf9K7XD9
fFp37QXA7z9NR0Lp56ctK6mtQq0gYxZRAGK0NRaJbSIguOFD0Z4TpjxQx52Yt1Qx
RMBysD/QiEz4KGcFjeIx5LV65lfJu7ngCKqzT9E/YYsei2FNrRG9auqqGuNmZdKn
Zo8AD5Jw3Hw6z8s8xG59I4QseNC2eUMmJHI9MlCPj5nVyq0ilHH70mjdfycyfIoQ
uo0d60HxE1Ur27SkRhPbK0bwf74fHz2hxj7QaiUBiRtrSZ40ylp9CbxrSxpFthVe
sn7BM8IlJ5oSRYpiYPISfo9pUoUCSNwrRNQMMTI3B7jLbqosm1PDpS8uIKkKYFVf
tTyJr0gN3BxgX8ZBRYaN92ChlB1Y6vz/xAkmy5N1/g7qBJHYTlrK4qoyZ5iaPm9f
gONEZWSuXQiHIWA=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
</md:KeyDescriptor>
<md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://sp:8443/Shibboleth.sso/Artifact/SOAP" index="1"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://sp:8443/Shibboleth.sso/SLO/SOAP"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sp:8443/Shibboleth.sso/SLO/Redirect"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp:8443/Shibboleth.sso/SLO/POST"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://sp:8443/Shibboleth.sso/SLO/Artifact"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp:8443/Shibboleth.sso/SAML2/POST" index="1"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://sp:8443/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://sp:8443/Shibboleth.sso/SAML2/Artifact" index="3"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://sp:8443/Shibboleth.sso/SAML2/ECP" index="4"/>
<md:AttributeConsumingService index="1">
<md:ServiceName xml:lang="en">Sample Service</md:ServiceName>
<md:ServiceDescription xml:lang="en">An example service that requires a human-readable identifier and optional name and e-mail address.</md:ServiceDescription>
<md:RequestedAttribute FriendlyName="eduPersonPrincipalName" Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
<md:RequestedAttribute FriendlyName="mail" Name="urn:mace:dir:attribute-def:mail" NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
<md:RequestedAttribute FriendlyName="displayName" Name="urn:mace:dir:attribute-def:displayName" NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en">My Organization Name</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">My Organization Display Name</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en">https://www.utexas.edu</md:OrganizationURL>
</md:Organization>
<md:ContactPerson contactType="technical">
<md:GivenName>Technical Team</md:GivenName>
<md:EmailAddress>technical@example.org</md:EmailAddress>
</md:ContactPerson>
<md:ContactPerson contactType="administrative">
<md:GivenName>Same as Technical Team</md:GivenName>
<md:EmailAddress>technical@example.org</md:EmailAddress>
</md:ContactPerson>
<md:ContactPerson contactType="support">
<md:GivenName>Support Team</md:GivenName>
<md:EmailAddress>support@example.org</md:EmailAddress>
</md:ContactPerson>
<md:ContactPerson contactType="other"
xmlns:remd="http://refeds.org/metadata" remd:contactType="http://refeds.org/metadata/contactType/security">
<md:GivenName>Security Team</md:GivenName>
<md:EmailAddress>technical@example.org</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>Footnotes
- Some SAML SPsSP A Service Provider (SP) is the server/system which hosts the resource. In this context, you (or your vendor) are configuring the SP that provides a service to your customers. Your SP will integrate with our IdP. For more information, see our Concepts page. use the same certificates for signing and encryption. This is not uncommon and allowable in the SAML specification. Of those SPs, some combine both certificates into the same element in their metadata. This is also valid per the specification and does meet the Customer Metadata Requirements. Please refer to Encryption KeyDescriptor Type for more information. ↩︎
- Some SAML SPs use the same certificates for signing and encryption. This is not uncommon and allowable in the SAML specification. Of those SPs, some combine both certificates into the same element in their metadata. This is also valid per the specification and does meet the Customer Metadata Requirements. Please refer to Encryption KeyDescriptor Type for more information. ↩︎
Go back to the Vendor Guide to IAM at UT.
