[shibboleth-sp2] 06/29: https://issues.shibboleth.net/jira/browse/SSPCPP-364

Ferenc Wágner wferi-guest at moszumanska.debian.org
Tue Jan 26 21:30:25 UTC 2016


This is an automated email from the git hooks/post-receive script.

wferi-guest pushed a commit to annotated tag 2.4.3
in repository shibboleth-sp2.

commit 9d551a1dfb6148210a35005fb6167f8a356f2834
Author: Scott Cantor <cantor.2 at osu.edu>
Date:   Fri Jun 10 17:08:00 2011 +0000

    https://issues.shibboleth.net/jira/browse/SSPCPP-364
---
 configs/example-metadata.xml | 107 +++++++++++++++++--------------------------
 1 file changed, 42 insertions(+), 65 deletions(-)

diff --git a/configs/example-metadata.xml b/configs/example-metadata.xml
index be7bf43..1b99d15 100644
--- a/configs/example-metadata.xml
+++ b/configs/example-metadata.xml
@@ -14,8 +14,11 @@ metadata to you properly.
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
     xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
-    xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata saml-schema-metadata-2.0.xsd urn:mace:shibboleth:metadata:1.0 shibboleth-metadata-1.0.xsd http://www.w3.org/2000/09/xmldsig# xmldsig-core-schema.xsd"
-    validUntil="2010-01-01T00:00:00Z"
+    xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata saml-schema-metadata-2.0.xsd
+                        urn:mace:shibboleth:metadata:1.0 shibboleth-metadata-1.0.xsd
+                        urn:oasis:names:tc:SAML:metadata:ui sstc-saml-metadata-ui-v1.0.xsd
+                        http://www.w3.org/2000/09/xmldsig# xmldsig-core-schema.xsd"
+    validUntil="2020-01-01T00:00:00Z"
     entityID="https://idp.example.org/shibboleth">
     <!--
     The entityID above looks like a location, but it's actually just a name.
@@ -29,49 +32,35 @@ metadata to you properly.
     like this even if you don't actually register the server in DNS using it.
     The URL does not have to resolve into anything to use it as a name, although
     it is useful if it does in fact point to your metadata. The key point is
-    for the name you choose to be stable, which is why including hostnames is
+    for the name you choose to be stable, which is why using hostnames is
     generally bad, since they tend to change.
     -->
     
     <!-- A Shibboleth 1.x and SAML 2.0 IdP contains this element with protocol support as shown. -->
     <IDPSSODescriptor protocolSupportEnumeration="urn:mace:shibboleth:1.0 urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
         <Extensions>
-            <!-- This is a Shibboleth extension to express attribute scope rules. -->
+            <!-- This is a Shibboleth extension to express permissible attribute scope(s). -->
             <shibmd:Scope>example.org</shibmd:Scope>
+            
+            <!--
+            This is a recent OASIS-defined extension for user-interface material related to the IdP.
+            See http://wiki.oasis-open.org/security/SAML2MetadataUI for more details.
+            -->
+            <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
+                <mdui:DisplayName xml:lang="en">Identities 'R' Us</mdui:DisplayName>
+                <mdui:InformationURL xml:lang="en">https://idp.example.org/info/</mdui:InformationURL>
+                <mdui:Logo height="60" width="80" xml:lang="en">https://example.org/images/logo.png</mdui:Logo>
+                <mdui:Logo height="16" width="16" xml:lang="en">https://example.org/images/favico.png</mdui:Logo>
+            </mdui:UIInfo>
         </Extensions>
         
         <!--
         One or more KeyDescriptors tell your SP how the IdP will authenticate itself. A single
-        descriptor can be used for both signing and for server-TLS if its use attribute
-        is set to "signing". You can place an X.509 certificate directly in this element
-        to specify the public key to use. This only reflects the public half of the keypair
-        used by the IdP. A different key, or the same key, can be specified for enabling
-        the SP to encrypt XML it sends to the IdP. 
+        descriptor can be used for both signing and for server-TLS. You can place an X.509
+        certificate directly in this element to specify the public key to use. This only
+        reflects the public half of the keypair used by the IdP.
         -->
-        <KeyDescriptor use="signing">
-            <ds:KeyInfo>
-                <ds:X509Data>
-                    <ds:X509Certificate>
-                    MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
-                    BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
-                    Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
-                    AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
-                    ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
-                    Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
-                    4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
-                    lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
-                    v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
-                    CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
-                    eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
-                    BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
-                    Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
-                    w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
-                    </ds:X509Certificate>
-                </ds:X509Data>
-            </ds:KeyInfo>
-        </KeyDescriptor>
-
-        <KeyDescriptor use="encryption">
+        <KeyDescriptor>
             <ds:KeyInfo>
                 <ds:X509Data>
                     <ds:X509Certificate>
@@ -100,10 +89,11 @@ metadata to you properly.
             Location="https://idp.example.org:8443/shibboleth/profile/saml1/soap/ArtifactResolution"/>
 
         <!-- This tells the SP where/how to resolve SAML 2.0 artifacts into SAML messages. -->
-        <ArtifactResolutionService index="1"
+        <ArtifactResolutionService index="2"
             Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
             Location="https://idp.example.org:8443/shibboleth/profile/saml2/soap/ArtifactResolution"/>
 
+        <!-- This is informational and communicates what kinds of SAML Subjects the IdP supports. -->
         <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
         <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
 
@@ -116,15 +106,15 @@ metadata to you properly.
             Location="https://idp.example.org/shibboleth/profile/saml2/POST/SSO"/>
     </IDPSSODescriptor>
     
-    <!-- Most Shibboleth IdPs also support SAML attribute queries, so this role is also included. -->
+    <!-- Most Shibboleth IdPs also support SAML 1.x attribute queries, so this role is also included. -->
     <AttributeAuthorityDescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
         <Extensions>
-            <!-- This is a Shibboleth extension to express attribute scope rules. -->
+            <!-- This is a Shibboleth extension to express permissible attribute scope(s). -->
             <shibmd:Scope>example.org</shibmd:Scope>
         </Extensions>
         
         <!-- The certificate has to be repeated here (or a different one specified if necessary). -->
-        <KeyDescriptor use="signing">
+        <KeyDescriptor>
             <ds:KeyInfo>
                 <ds:X509Data>
                     <ds:X509Certificate>
@@ -147,41 +137,28 @@ metadata to you properly.
             </ds:KeyInfo>
         </KeyDescriptor>
 
-        <KeyDescriptor use="encryption">
-            <ds:KeyInfo>
-                <ds:X509Data>
-                    <ds:X509Certificate>
-                    MIICkjCCAfugAwIBAgIJAK7VCxPsh8yrMA0GCSqGSIb3DQEBBAUAMDsxCzAJBgNV
-                    BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxl
-                    Lm9yZzAeFw0wNTA2MjAxNTUwNDFaFw0zMjExMDUxNTUwNDFaMDsxCzAJBgNVBAYT
-                    AlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9y
-                    ZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2VnUvWYrNhtRUqIxAuFmV8YP
-                    Jhr+OMKJpc/RaEs2C8mk5N5qO+ysClg2cVfkws3O4Lc15AiNdQ0s3ZijYwJK2EEg
-                    4vmoTl2RrjP1b3PK2h+VbUuYny9enHwDL+Z4bjP/8nmIKlhUSq4DTGXbwdQiWjCd
-                    lQXvDtvHRwX/TaqtHbcCAwEAAaOBnTCBmjAdBgNVHQ4EFgQUlmI7WqzIDJzcfAyU
-                    v2kmk3p9sbAwawYDVR0jBGQwYoAUlmI7WqzIDJzcfAyUv2kmk3p9sbChP6Q9MDsx
-                    CzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxGDAWBgNVBAMTD2lkcC5l
-                    eGFtcGxlLm9yZ4IJAK7VCxPsh8yrMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE
-                    BQADgYEAsatF5gh1ZBF1QuXxchKp2BKVOsK+23y+FqhuOuVi/PTMf+Li84Ih25Al
-                    Jyy3OKc0oprM6tCJaiSooy32KTW6a1xhPm2MwuXzD33SPoKItue/ndp8Bhx/PO9U
-                    w14fpgtAk2x8xD7cpHsZ073JHxEcjEetD8PTtrFdNu6GwIrv6Sk=
-                    </ds:X509Certificate>
-                </ds:X509Data>
-            </ds:KeyInfo>
-        </KeyDescriptor>
-
-        <!-- This tells the SP how and where to send queries. -->
+        <!--
+        This tells the SP how and where to send queries when SAML 1.x is used.
+        The SAML 2.0 version is normally left out because attributes are pushed
+        and encrypted during SSO rather than pulled after.
+        -->
         <AttributeService Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding"
             Location="https://idp.example.org:8443/shibboleth/profiles/saml1/soap/AttributeQuery"/>
+        <!--
         <AttributeService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
             Location="https://idp.example.org:8443/shibboleth/profiles/saml2/soap/AttributeQuery"/>
-
-       <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
-       <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+        -->
+        
+        <!-- This is informational and communicates what kinds of SAML Subjects the IdP supports. -->
+        <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
+        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
 
     </AttributeAuthorityDescriptor>
 
-    <!-- This is just information about the entity in human terms. -->
+    <!--
+    This is just information about the entity in human terms.
+    For user interface needs, see the new <mdui:UIInfo> extension.
+    -->
     <Organization>
         <OrganizationName xml:lang="en">Example Identity Provider</OrganizationName>
         <OrganizationDisplayName xml:lang="en">Identities 'R' Us</OrganizationDisplayName>

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/shibboleth-sp2.git



More information about the Pkg-shibboleth-devel mailing list