Example SP Metadata | SAML2P Documentation

This example shows a Service Provider (SP) metadata document.

An SP metadata must contain:

A unique identifier (EntityID) of the SP
One or more AssertionConsumerService (ACS) endpoints where the Identity Provider (IdP) will send SAML assertions

The following optional information is commonly included in an SP metadata:

SingleLogoutService (SLO) endpoint(s) where the IdP will send logout requests and responses
ArtifactResolutionService (ARS) endpoint(s) where the IdP will swap an artifact for the corresponding protocol message when using HTTP-Artifact binding
SP's public signing and encryption keys
Information about the Organization responsible for this SP, including Contact information
Information about the metadata document itself, such as unique ID and how long its valid for
An embedded XML Signature. The metadata document can be signed, providing a mechanism for the metadata consumer to verify the integrity of the document

<EntityDescriptor 
    ID="_33fc2606-cc4f-4883-b3a4-2c1d37090848"
    entityID="https://sp.openiddict"
    validUntil="2022-07-19T21:23:36Z"
    cacheDuration="PT15M"
    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
    xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

    <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp.openiddict/saml/acs" index="1" />
        <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sp.openiddict/saml/acs" index="2" />
        <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://sp.openiddict/saml/acs" index="3" />

        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp.openiddict/saml/slo" />
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sp.openiddict/saml/slo" />

        <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://sp.openiddict/saml/ars" index="0" />

        <KeyDescriptor use="signing">
            <KeyInfo
                xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>SP_PUBLIC_SIGNING_CERTIFICATE_USED_FOR_SIGNING_REQUESTS</X509Certificate>
                </X509Data>
            </KeyInfo>
        </KeyDescriptor>

        <KeyDescriptor use="encryption">
            <KeyInfo
                xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>SP_PUBLIC_ENCRYPTION_CERTIFICATE</X509Certificate>
                </X509Data>
            </KeyInfo>
            <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm" />
            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc" />
            <EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm" />
            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
        </KeyDescriptor>
    </SPSSODescriptor>

    <Organization>
        <OrganizationName xml:lang="en-GB">Example</OrganizationName>
        <OrganizationDisplayName xml:lang="en-GB">Example Org</OrganizationDisplayName>
        <OrganizationURL xml:lang="en-GB">https://example.com/</OrganizationURL>
    </Organization>

    <ContactPerson contactType="technical">
        <Company>Example</Company>
        <GivenName>bob</GivenName>
        <SurName>smith</SurName>
        <EmailAddress>bob@example.com</EmailAddress>
    </ContactPerson>

</EntityDescriptor>

Previous Next