Versions Compared

Old Version 46

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 47

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Wiki Markup
h1. Metadata Administration

This page is for site administrators responsible for creating and maintaining SAML metadata on behalf of their organization.

The metadata submitted by the site administrator is vetted and approved by the InCommon Registration Authority (RA). Since the security of the SAML protocol depends on the proper use of metadata, the RA checks the correctness and integrity of what is submitted by the site administrator. In particular, the RA checks that the [certificates|X.509 Certificates in Metadata] and [endpoints|Endpoints in Metadata] in metadata meet certain basic requirements. For instance, all URIs in metadata are expected to be rooted in the [primary DNS domain|Primary DNS Domain] of the submitting organization. If not, a manual vetting process is triggered.

h2. Federation Manager

A web interface called the [Federation Manager] is used to administer InCommon metadata. The interface supports both IdP and SP metadata. The elements of each are referenced in the following sections.

For reference, a [sample interface for new IdPs|^new_idp.html] is attached to this wiki page. Likewise a [sample interface for new SPs|^new_sp.html] is attached.

h3. IdP Metadata Elements

{div:style=float:right;margin-left:1em;margin-bottom:1ex}{note}Consult the [New IdP Checklist]Planning to register a [new IdP in metadata|New IdPs in Metadata]?{note}{div}

The following elements are called out in IdP metadata.

* [Entity ID|Entity IDs]
** [Entity Attributes]
* [Scope|Scope in Metadata]
* [X.509 Certificates|X.509 Certificates in Metadata]
** [Key Usage]
** [IdP Key Handling]
** [Certificate Migration]
*** [Migrating a Certificate in IdP Metadata|IdP Cert Migration]
* [User Interface Elements]
** [UI Elements in IdP Metadata|IdPUIElements]
* [Error Handling URL]
* [SAML Protocol Endpoints|Endpoints in Metadata]
** [Endpoints in IdP Metadata|IdP Endpoints]
* [Contacts|Contacts in Metadata]

For IdP deployments based on the Shibboleth software, there is valuable information in the shib wiki regarding [metadata for the Shibboleth IdP|https://wiki.shibboleth.net/confluence/display/SHIB2/MetadataForIdP].

h3. SP Metadata Elements

{div:style=float:right;margin-left:1em;margin-bottom:1ex}{tip}Tips on how to [manage SP metadata|SP Metadata Management]{tip}{div}

The following elements are called out in SP metadata.

* [Entity ID|Entity IDs]
** [Entity Attributes]
* [X.509 Certificates|X.509 Certificates in Metadata]
** [Key Usage]
** [Certificate Migration]
*** [Migrating a Certificate in SP Metadata|SP Cert Migration]
* [User Interface Elements]
** [UI Elements in SP Metadata|SPUIElements]
* [Requested Attributes]
* [SAML Protocol Endpoints|Endpoints in Metadata]
** [Endpoints in SP Metadata|SP Endpoints]
* [Contacts|Contacts in Metadata]

For SP deployments based on the Shibboleth software, there is valuable information in the shib wiki regarding [metadata for the Shibboleth SP|https://wiki.shibboleth.net/confluence/display/SHIB2/MetadataForSP].

h3. InCommon Extension Schema

InCommon has defined a small set of extensions to SAML metadata where necessary. An [XML extension schema|Metadata Extension Schema] is provided.

-----

{attachments}