Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Services that are using the SAML protocol to connect to the Geant AAI Service should be publishing metadata like the example shown below, in order to comply with the policies and requirements for services.


Code Block
languagexml
titleSP-metadata-example.xml
linenumberstrue
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor 
  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
  xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
  xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
  entityID="https://service.example.org/sp"
>
  <md:Extensions>
    <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
      <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <!-- Required for R&S services -->
        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">http://refeds.org/category/research-and-scholarship</saml:AttributeValue>

        <!-- Required for Production services -->
        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">http://www.geant.net/uri/dataprotection-code-of-conduct/v1</saml:AttributeValue>
      </saml:Attribute>

      <!-- Required for services supporting Sirtfi -->
      <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue xsi:type="xs:string">https://refeds.org/sirtfi</saml:AttributeValue>
      </saml:Attribute>

      <!-- Required to signal the requirement for the release of subject-id -->
      <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:subject-id:req" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue>any</saml:AttributeValue>
      </saml:Attribute>
    </mdattr:EntityAttributes>
  </md:Extensions>

  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="false">
    <md:Extensions>
      <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
        <!-- Required: Change it for your service -->
        <mdui:DisplayName xml:lang="en">Example service</mdui:DisplayName>

        <!-- Required: Change it for your service -->
        <mdui:Description xml:lang="en">Example service used in development and test environments</mdui:Description>

        <!-- Required for Production services -->
        <mdui:PrivacyStatementURL xml:lang="en">https://geant.org/privacy-notice/</mdui:PrivacyStatementURL>

        <!-- Required: Change it for your service -->
        <mdui:Logo width="200" height="200">https://service.example.org/sp/logo.png</mdui:Logo>
        <mdui:Logo width="16" height="16">https://service.example.org/sp/logo_small.png</mdui:Logo>

        <!-- Optional: Change it for your service -->
        <mdui:InformationURL xml:lang="en">https://service.example.org</mdui:InformationURL>
      </mdui:UIInfo>
    </md:Extensions>

    <!-- Required: Change it for your service -->
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>....</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>

    <!-- Required: Change it for your service -->
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>....</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>

    <!-- Optional: Change it for your service -->
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://service.example.org/sp/logout"/>
   
    <!-- Required: Change it for your service -->
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://service.example.org/sp/acs" index="0"/>

    <!--
    In the list below all the attributes are requested. If your SP 
    needs less attributes, the list has to be modified accordingly.
    Check the attributes supported by the AAI service you are using. 
    -->
    <md:AttributeConsumingService index="0">
      <md:ServiceName xml:lang="en">Example Service</md:ServiceName>
      <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.25178.4.1.6" FriendlyName="voPersonID" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:2.5.4.42" FriendlyName="givenName" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:2.5.4.4" FriendlyName="sn" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:2.16.840.1.113730.3.1.241" FriendlyName="displayName" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.3" FriendlyName="mail" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.25178.4.1.11" FriendlyName="voPersonExternalAffiliation" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" FriendlyName="eduPersonEntitlement" isRequired="true"/>
    </md:AttributeConsumingService>
  </md:SPSSODescriptor>

  <!-- Required: Change it for your service --> 
  <md:Organization>
    <md:OrganizationName xml:lang="en">Example</md:OrganizationName>
    <md:OrganizationDisplayName xml:lang="en">Example Org</md:OrganizationDisplayName>
    <md:OrganizationURL xml:lang="en">https://www.example.org</md:OrganizationURL>
  </md:Organization>  

  <!-- Required: Change it for your service -->
  <md:ContactPerson contactType="administrative">
    <md:GivenName>John Doe</md:GivenName>
    <md:EmailAddress>mailto:admin@service.example.org</md:EmailAddress>
  </md:ContactPerson>

  <!-- Required: Change it for your service -->
  <md:ContactPerson contactType="technical">
    <md:GivenName>Technical team</md:GivenName>
    <md:EmailAddress>mailto:tech@service.example.org</md:EmailAddress>
  </md:ContactPerson>

  <!-- Required: Change it for your service --> 
  <md:ContactPerson contactType="support">
    <md:GivenName>Helpdesk</md:GivenName>
    <md:EmailAddress>mailto:support@service.example.org</md:EmailAddress>
  </md:ContactPerson>

  <!-- Required for SPs supporting Sirtfi: Change it for your service -->
  <md:ContactPerson xmlns:remd="http://refeds.org/metadata" contactType="other" remd:contactType="http://refeds.org/metadata/contactType/security">
    <md:GivenName>Security team</md:GivenName>
    <md:EmailAddress>mailto:security@service.example.org</md:EmailAddress>
  </md:ContactPerson>
</md:EntityDescriptor>