Example of SAML metadata for services

Services that are using the SAML protocol to connect to the Geant AAI Service should be publishing metadata like the example shown below, in order to comply with the policies and requirements for services.
SP-metadata-example.xml
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor
  xmlns:xs="http://www.w3.org/2001/XMLSchema"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
  xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"
  xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui"
  xmlns:remd="http://refeds.org/metadata"
  entityID="https://service.example.org/sp"
>
  <md:Extensions>
    <mdattr:EntityAttributes>
      <saml:Attribute Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <!-- Required for R&S services -->
        <saml:AttributeValue xsi:type="xs:string">http://refeds.org/category/research-and-scholarship</saml:AttributeValue>

        <!-- Required for Production services -->
        <saml:AttributeValue xsi:type="xs:string">http://www.geant.net/uri/dataprotection-code-of-conduct/v1</saml:AttributeValue>
      </saml:Attribute>

      <!-- Required for services supporting Sirtfi -->
      <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:assurance-certification" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue xsi:type="xs:string">https://refeds.org/sirtfi</saml:AttributeValue>
      </saml:Attribute>

      <!-- Required to signal the requirement for the release of subject-id -->
      <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:subject-id:req" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue>any</saml:AttributeValue>
      </saml:Attribute>
    </mdattr:EntityAttributes>
  </md:Extensions>

  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" AuthnRequestsSigned="false">
    <md:Extensions>
      <mdui:UIInfo>
        <!-- Required: Change it for your service -->
        <mdui:DisplayName xml:lang="en">Example service</mdui:DisplayName>

        <!-- Required: Change it for your service -->
        <mdui:Description xml:lang="en">Example service used in development and test environments</mdui:Description>

        <!-- Required for Production services -->
        <mdui:PrivacyStatementURL xml:lang="en">https://geant.org/privacy-notice/</mdui:PrivacyStatementURL>

        <!-- Required: Change it for your service -->
        <mdui:Logo width="200" height="200">https://service.example.org/sp/logo.png</mdui:Logo>
        <mdui:Logo width="16" height="16">https://service.example.org/sp/logo_small.png</mdui:Logo>

        <!-- Optional: Change it for your service -->
        <mdui:InformationURL xml:lang="en">https://service.example.org</mdui:InformationURL>
      </mdui:UIInfo>
    </md:Extensions>

    <!-- Required: Change it for your service -->
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>....</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>

    <!-- Required: Change it for your service -->
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo>
        <ds:X509Data>
          <ds:X509Certificate>....</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>

    <!-- Optional: Change it for your service -->
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://service.example.org/sp/logout"/>

    <!-- Required: Change it for your service -->
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://service.example.org/sp/acs" index="0"/>

    <!--
    In the list below all the attributes are requested. If your SP
    needs less attributes, the list has to be modified accordingly.
    Check the attributes supported by the AAI service you are using.
    -->
    <md:AttributeConsumingService index="0">
      <!-- Required for all services; change to match the value of the mdui:DisplayName element -->
      <md:ServiceName xml:lang="en">Example Service</md:ServiceName>

      <!--
        Below, all the attributes that are needed for the service to be operational are listed.
        If your service needs less attributes, the list must be modified accordingly.
        Check the attributes supported by the AAI service you are connecting.
      -->
      <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.25178.4.1.6" FriendlyName="voPersonID" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:2.5.4.42" FriendlyName="givenName" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:2.5.4.4" FriendlyName="sn" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:2.16.840.1.113730.3.1.241" FriendlyName="displayName" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:0.9.2342.19200300.100.1.3" FriendlyName="mail" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.25178.4.1.11" FriendlyName="voPersonExternalAffiliation" isRequired="true"/>
      <md:RequestedAttribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" FriendlyName="eduPersonEntitlement" isRequired="true"/>
    </md:AttributeConsumingService>
  </md:SPSSODescriptor>

  <!-- Required: Change it for your service -->
  <md:Organization>
    <md:OrganizationName xml:lang="en">Example</md:OrganizationName>
    <md:OrganizationDisplayName xml:lang="en">Example Org</md:OrganizationDisplayName>
    <md:OrganizationURL xml:lang="en">https://www.example.org</md:OrganizationURL>
  </md:Organization>

  <!-- Required: Change it for your service -->
  <md:ContactPerson contactType="administrative">
    <md:GivenName>John Doe</md:GivenName>
    <md:EmailAddress>mailto:admin@service.example.org</md:EmailAddress>
  </md:ContactPerson>

  <!-- Required: Change it for your service -->
  <md:ContactPerson contactType="technical">
    <md:GivenName>Technical team</md:GivenName>
    <md:EmailAddress>mailto:tech@service.example.org</md:EmailAddress>
  </md:ContactPerson>

  <!-- Required: Change it for your service -->
  <md:ContactPerson contactType="support">
    <md:GivenName>Helpdesk</md:GivenName>
    <md:EmailAddress>mailto:support@service.example.org</md:EmailAddress>
  </md:ContactPerson>

  <!-- Required for SPs supporting Sirtfi: Change it for your service -->
  <md:ContactPerson contactType="other" remd:contactType="http://refeds.org/metadata/contactType/security">
    <md:GivenName>Security team</md:GivenName>
    <md:EmailAddress>mailto:security@service.example.org</md:EmailAddress>
  </md:ContactPerson>
</md:EntityDescriptor>
Page tree

Example of SAML metadata for services
