You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Services that are using the SAML protocol to connect to the Geant AAI Service should be publishing metadata like the example shown below, in order to comply with the policies and requirements for services.

SP-metadata-example.xml
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor 
  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
  xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
  xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
  entityID="https://service.example.org/sp"
>
  <md:Extensions>
    <mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
      <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <!-- Required for all services -->
        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">http://refeds.org/category/research-and-scholarship</saml:AttributeValue>

        <!-- Required for production services -->
        <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xsi:type="xs:string">http://www.geant.net/uri/dataprotection-code-of-conduct/v1</saml:AttributeValue>
      </saml:Attribute>

      <!-- Required for production services -->
      <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue xsi:type="xs:string">https://refeds.org/sirtfi</saml:AttributeValue>
      </saml:Attribute>

      <!-- Required; in order to signal the requirement for the release of the subject-id attribute -->
      <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:subject-id:req" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue>any</saml:AttributeValue>
      </saml:Attribute>
    </mdattr:EntityAttributes>
  </md:Extensions>

  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="false">
    <md:Extensions>
      <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
        <!-- Required: Change it for your SP -->
        <mdui:DisplayName xml:lang="en">Example service</mdui:DisplayName>

        <!-- Required: Change it for your SP -->
        <mdui:Description xml:lang="en">Example service used in development and test environments</mdui:Description>

        <!-- Required for Production: Use the Geant privacy notice -->
        <mdui:PrivacyStatementURL xml:lang="en">https://geant.org/privacy-notice/</mdui:PrivacyStatementURL>

        <!-- Required: Change it for your SP -->
        <mdui:Logo width="200" height="200">https://service.example.org/sp/logo.png</mdui:Logo>
        <mdui:Logo width="16" height="16">https://service.example.org/sp/logo_small.png</mdui:Logo>

        <!-- Optional: Change it for your SP -->
        <mdui:InformationURL xml:lang="en">https://service.example.org</mdui:InformationURL>
      </mdui:UIInfo>
    </md:Extensions>

    <!-- Required: Change it for your SP -->
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>....</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>

    <!-- Required: Change it for your SP -->
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>....</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>

    <!-- Optional: Change it for your SP -->
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://service.example.org/sp/logout"/>
   
    <!-- Required -->
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://service.example.org/sp/acs" index="0"/>

    <md:AttributeConsumingService index="0">
      <!-- Required for all services; change to match the value of the mdui:DisplayName element -->
      <md:ServiceName xml:lang="en">Example service</md:ServiceName>

      <!--
        Below, all the attributes that are needed for the service to be operational are listed.
        If your service needs less attributes, the list must be modified accordingly.
        Check the attributes supported by the AAI service you are connecting. 
      -->
      <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.25178.4.1.6" FriendlyName="voPersonID" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.1" FriendlyName="uid" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:2.5.4.42" FriendlyName="givenName" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:2.5.4.4" FriendlyName="sn" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:2.16.840.1.113730.3.1.241" FriendlyName="displayName" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.3" FriendlyName="mail" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.25178.4.1.11" FriendlyName="voPersonExternalAffiliation" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" FriendlyName="eduPersonEntitlement" isRequired="true"/>
    </md:AttributeConsumingService>
  </md:SPSSODescriptor>

  <!-- Required: Keep as is for the Geant Services --> 
  <md:Organization>
    <md:OrganizationName xml:lang="en">GEANT</md:OrganizationName>
    <md:OrganizationDisplayName xml:lang="en">GEANT</md:OrganizationDisplayName>
    <md:OrganizationURL xml:lang="en">https://www.geant.org</md:OrganizationURL>
  </md:Organization>  

  <!-- Required: Change it for your service -->
  <md:ContactPerson contactType="administrative">
    <md:GivenName>Administrator</md:GivenName>
    <md:EmailAddress>mailto:admin@service.example.org</md:EmailAddress>
  </md:ContactPerson>

  <!-- Required: Change it for your service -->
  <md:ContactPerson contactType="technical">
    <md:GivenName>Technical team</md:GivenName>
    <md:EmailAddress>mailto:tech@service.example.org</md:EmailAddress>
  </md:ContactPerson>

  <!-- Required: Keep as is for the Geant Services --> 
  <md:ContactPerson contactType="support">
    <md:GivenName>GEANT Helpdesk</md:GivenName>
    <md:EmailAddress>mailto:help@geant.org</md:EmailAddress>
  </md:ContactPerson>

  <!-- Required: May need to change for your service -->
  <md:ContactPerson xmlns:remd="http://refeds.org/metadata" contactType="other" remd:contactType="http://refeds.org/metadata/contactType/security">
    <md:GivenName>GEANT Security Team</md:GivenName>
    <md:EmailAddress>mailto:security@service.example.org</md:EmailAddress>
  </md:ContactPerson>
</md:EntityDescriptor>
  • No labels