Services that are using the SAML protocol to connect to the Geant AAI Service should be publishing metadata like the example shown below, in order to comply with the policies and requirements for services.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="UTF-8"?> <md:EntityDescriptor xmlns:mdxs="urn:oasis:names:tc:SAML:2.0:metadatahttp://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:mdattrsaml="urn:oasis:names:tc:SAML:metadata2.0:attributeassertion" xmlns:samlmd="urn:oasis:names:tc:SAML:2.0:assertionmetadata" xmlns:xsimdattr="http://www.w3.org/2001/XMLSchema-instanceurn:oasis:names:tc:SAML:metadata:attribute" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:dsremd="http://wwwrefeds.w3.org/2000/09/xmldsig#metadata" entityID="https://sp01service.devtest.eduteamsexample.org/saml/default-sp" > <md:Extensions> <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">EntityAttributes> <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <!-- Required for R&Sall SPsservices --> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">http://refeds.org/category/research-and-scholarship</saml:AttributeValue> <!-- Required for Productionproduction SPsservices --> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">http://www.geant.net/uri/dataprotection-code-of-conduct/v1</saml:AttributeValue> </saml:Attribute> <!-- Required for SPsproduction supporting Sirtfiservices --> <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xs:string">https://refeds.org/sirtfi</saml:AttributeValue> </saml:Attribute> <!-- Required; in order to signal the requirement for the release of the subject-id attribute --> <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:subject-id:req" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue>any</saml:AttributeValue> </saml:Attribute> </mdattr:EntityAttributes> </md:Extensions> <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="false"> <md:Extensions> <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">UIInfo> <!-- Required: Change it for your SPservice --> <mdui:DisplayName xml:lang="en">eduTEAMS Test Service Provider (SP01)<>Example service</mdui:DisplayName> <!-- Required: Change it for your SPservice --> <mdui:Description xml:lang="en">eduTEAMS>Example Service Providerservice used in development and test environments (SP01)<environments</mdui:Description> <!-- Required for Production: ChangeUse itthe forGeant yourprivacy SPnotice --> <mdui:PrivacyStatementURL xml:lang="en">https://wiki.geant.org/display/eduTEAMS/Privacy+Policy<privacy-notice/</mdui:PrivacyStatementURL> <!-- Required: Change it for your SPservice --> <mdui:Logo width="200" height="200">https://wwwservice.eduteamsexample.org/imgsp/logo.png</mdui:Logo> <mdui:Logo width="16" height="16">https://wwwservice.eduteamsexample.org/imgsp/logo_small.png</mdui:Logo> <!-- Optional: Change it for your SPservice --> <mdui:InformationURL xml:lang="en">https://wwwservice.eduteamsexample.org</mdui:InformationURL> </mdui:UIInfo> </md:Extensions> <!-- Required: Change it for your SPservice --> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">KeyInfo> <ds:X509Data> <ds:X509Certificate>....</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <!-- Required: Change it for your SPservice --> <md:KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">KeyInfo> <ds:X509Data> <ds:X509Certificate>....</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <!-- Optional: Change it for your SPservice --> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sp01service.devtestexample.eduteams.org/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp"/> <!-- Required --> <!-- In the list below all the attributes are requested. If your SP needs less attributes, the list has to be modified accordingly. Check the attributes supported by the AAI service you are using. --> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp01service.devtestexample.eduteams.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" index="0"/> <md:AttributeConsumingService index="0"> <!-- Required for all services; change to match the value of the mdui:DisplayName element --> <md:ServiceName xml:lang="en">eduTEAMS Test Service Provider<>Example service</md:ServiceName> <!-- Below, all the attributes that are needed for the service <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" FriendlyName="eduPersonUniqueId" isRequired="true"/> to be operational are listed. If <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.25178.4.1.6" FriendlyName="voPersonID" isRequired="true"/> <md:RequestedAttribute Name="urn:oid:2.5.4.42" FriendlyName="givenName" isRequired="true"/> your service needs less attributes, the list must be modified accordingly. <md:RequestedAttribute Name="urn:oid:2.5.4.4" FriendlyName="sn" isRequired="true"/> <md:RequestedAttribute Name="urn:oid:2.16.840.1.113730.3.1.241" FriendlyName="displayName" isRequired="true"/Check the attributes supported by the AAI service you are connecting. --> <md:RequestedAttribute Name="urn:oid:0.9.2342.19200300.1001.3.6.1.4.1.25178.4.1.36" FriendlyName="mailvoPersonID" isRequired="true"/> <md:RequestedAttribute Name="urn:oid:10.39.62342.119200300.4100.1.25178.4.1.11" FriendlyName="voPersonExternalAffiliationuid" isRequired="true"/> <md:RequestedAttribute Name="urn:oid:1.3.6.12.5.4.1.5923.1.1.1.942" FriendlyName="eduPersonScopedAffiliationgivenName" isRequired="true"/> <md:RequestedAttribute Name="urn:oid:12.35.6.14.4.1.5923.1.1.1.7" FriendlyName="eduPersonEntitlementsn" isRequired="true"/> <md:RequestedAttribute Name="urn:oid:12.316.6840.1.4113730.1.59233.1.1.1.11241" FriendlyName="eduPersonAssurancedisplayName" isRequired="true"/> <md:RequestedAttribute Name="urn:oid:10.39.62342.119200300.4100.1.5923.1.1.1.163" FriendlyName="eduPersonOrcidmail" isRequired="true"/> <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.592325178.14.1.1.611" FriendlyName="eduPersonPrincipalNamevoPersonExternalAffiliation" isRequired="true"/> <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.245525923.500.1.1.1.137" FriendlyName="sshPublicKeyeduPersonEntitlement" isRequired="true"/> </md:AttributeConsumingService> </md:SPSSODescriptor> <!-- Required: ChangeKeep as itis for yourthe Geant SPServices --> <md:Organization> <md:OrganizationName xml:lang="en">GEANT</md:OrganizationName> <md:OrganizationDisplayName xml:lang="en">GEANT</md:OrganizationDisplayName> <md:OrganizationURL xml:lang="en">https://www.geant.org</md:OrganizationURL> </md:Organization> <!-- Required: Change it for your SPservice --> <md:ContactPerson contactType="administrative"> <md:GivenName>Administrator</md:GivenName> <md:EmailAddress>mailto:admin@eduteamsadmin@service.example.org</md:EmailAddress> </md:ContactPerson> <!-- Required: Change it for your SPservice --> <md:ContactPerson contactType="technical"> <md:GivenName>Technical team</md:GivenName> <md:EmailAddress>mailto:support@eduteamstech@service.example.org</md:EmailAddress> </md:ContactPerson> <!-- Required: forKeep SPsas supportingis Sirtfi:for Changethe it for your SPGeant Services --> <md:ContactPerson xmlns:remdcontactType="http://refeds.org/metadata"support"> <md:GivenName>GEANT Helpdesk</md:GivenName> <md:EmailAddress>mailto:help@geant.org</md:EmailAddress> </md:ContactPerson> <!-- Required: May need to change for your service --> <md:ContactPerson contactType="other" remd:contactType="http://refeds.org/metadata/contactType/security"> <md:GivenName>eduTEAMSGivenName>GEANT Security Service<Team</md:GivenName> <md:EmailAddress>mailto:security@eduteamssecurity@geant.org</md:EmailAddress> </md:ContactPerson> </md:EntityDescriptor> |
...