SAML 2.0 SP metadata

3
votes


I am implementing an SP initiated web browser SAML SSO profile.
My application is the SP.
The customers ask me to supply them a metadata file.
I have a Shibboleth metadata file I used for testing my application against a local Shibboleth IDP server.
Now, When I sent this file to a non-Shibboleth customer, he said that this file is a Shibboleth file and he needs a different one.
My question is:

Is there a standard SP metadata file I can use which will fit all customers, no matter what IDP they are using?

I found an example:

<md:EntityDescriptor 
   xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
   ID="_z7b6d339da96016iib0ed98ed476er3d7ae4dct5" 
   entityID="https://my.application.sp/login">
  <md:SPSSODescriptor AuthnRequestsSigned="false" 
      WantAssertionsSigned="true"
      protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">  
    <md:KeyDescriptor use="signing">  
     <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">  
      <ds:X509Data>  
        <ds:X509SubjectName>CN=my.application.sp</ds:X509SubjectName>
        <ds:X509Certificate>--my certificate--</ds:X509Certificate>  
      </ds:X509Data>  
     </ds:KeyInfo>  
   </md:KeyDescriptor>  
   <md:KeyDescriptor use="encryption">  
     <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">  
       <ds:X509Data>  
         <ds:X509Certificate>--my certificate--</ds:X509Certificate>  
      </ds:X509Data>  
    </ds:KeyInfo>  
  </md:KeyDescriptor>  
  <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>  
  <md:AssertionConsumerService 
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"    
      Location="https://my.application.sp/handleLogin" index="0"/>
  </md:SPSSODescriptor>  
</md:EntityDescriptor>

Is this enough?
Can I use this as a general metadata for all the IDPs?

Thanks

1
samlsaml-2.0

1 Answers

1
votes

The sp.xml is constrained by SAML which is an open protocol so there's no such thing as "Shibboleth metadata" - it is SAML metadata as used by Shibboleth.

The various details have to be negotiated between the two parties e.g. you have specified HTTP-POST.

What if the IDP prefers HTTP-Redirect?

What if they want the nameid-format to be persistent rather than transient and so on.

Or your certificate might be 1024 bit instead of 2048?

The metadata as it pertains to SAML can be used as a general example but it probably won't meet all the individual IDP requirements.