Skip to content
This repository has been archived by the owner on Jul 11, 2018. It is now read-only.

Description of metadata fields

Remold edited this page Jul 31, 2015 · 1 revision

Name

For

Req

Default value

Allowed values

Description

AssertionConsumerService:0:Binding

SP

x

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

urn:oasis:names:tc:SAML:2.0:bindings:SOAP

urn:oasis:names:tc:SAML:2.0:bindings:PAOS

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact

urn:oasis:names:tc:SAML:2.0:bindings:URI

Only Supported Bindings:

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

See http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf for more info.

AssertionConsumerService:0:index

SP

 

 

<number>

The index number of the Binding, might be different from the number in the Name.

AssertionConsumerService:0:Location

SP

x

 

<valid HTTPS-URL>

Endpoint for connection that supports the Authentication Request protocol.

AssertionConsumerService:1:Binding

AssertionConsumerService:2:Binding

AssertionConsumerService:3:Binding

AssertionConsumerService:4:Binding

AssertionConsumerService:5:Binding

AssertionConsumerService:6:Binding

AssertionConsumerService:7:Binding

AssertionConsumerService:8:Binding

AssertionConsumerService:9:Binding

SP

 

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

urn:oasis:names:tc:SAML:2.0:bindings:SOAP

urn:oasis:names:tc:SAML:2.0:bindings:PAOS

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact

urn:oasis:names:tc:SAML:2.0:bindings:URI

Only Supported Bindings:

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

See http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf for more info.

AssertionConsumerService:1:index

AssertionConsumerService:2:index

AssertionConsumerService:3:index

AssertionConsumerService:4:index

AssertionConsumerService:5:index

AssertionConsumerService:6:index

AssertionConsumerService:7:index

AssertionConsumerService:8:index

AssertionConsumerService:9:index

SP

 

 

<number>

The index number of the Binding, might be different from the number in the Name.

AssertionConsumerService:1:Location

AssertionConsumerService:2:Location

AssertionConsumerService:3:Location

AssertionConsumerService:4:Location

AssertionConsumerService:5:Location

AssertionConsumerService:6:Location

AssertionConsumerService:7:Location

AssertionConsumerService:8:Location

AssertionConsumerService:9:Location

SP

 

 

<valid HTTPS-URL>

Endpoint for connection that supports the Authentication Request protocol.

certData

IdP

x

 

<string>

Base 64 encoded certificate used for this connection.

certData

IdP, SP

 

 

<string>

Base 64 encoded certificate used for this connection.

certData2

IdP, SP

 

 

<string>

Fallback base 64 encoded certificate used for this connection. Most likely used when this entity migrates to a new signing certificate.

certData3

IdP, SP

 

 

<string>

Fallback base 64 encoded certificate used for this connection. Most likely used when this entity migrates to a new signing certificate.

coin:additional_logging

IdP, SP

 

 

boolean

When not set or is FALSE/unchecked only logging is produced when an error occurs in the flow.

When TRUE/checked logging is always produced.

coin:alternate_private_key

SP

 

 

<string>

Overrides the private signing key used by SURFconext for this Service Provider

coin:alternate_public_key

SP

 

 

<string>

Overrides the public signing key used by SURFconext for this Service Provider

coin:application_url

SP

 

Application URL

 

 

coin:disable_scoping

IdP

 

FALSE

boolean

Must be set to TRUE/enabled for ADFS2.0 IdPs

When unset or set to FALSE/disabled the scoping-element in the authn statement contains:

    <samlp:Scoping ProxyCount="10">
        <samlp:RequesterID>https://engine.surfconext.nl/authentication/sp/metadata</samlp:RequesterID>
    </samlp:Scoping>
coin:display_unconnected_idps_wayf SP   FALSE boolean

The WAYF for this SP will show all IdP's, allowed by the ACL or not. End-users can request access for the not allowed IdP's.

See IdP access requests page for more details.

coin:do_not_add_attribute_aliases

SP

 

FALSE

boolean

When unset or set to FALSE/disabled: attributes provided in the SAML Assertion contain both the oid as the named/human readable attributes.

When set or set to TRUE/enabled: only the named/human readable attributes are provided.

Set only to true/enabled when SP can not handle both oid and human-readable attributes.

Eg: Unset/unchecked gives both urn:mace:dir:attribute-def:cn and urn:oid:2.5.4.3. Checked gives only urn:mace:dir:attribute-def:cn

coin:eula

SP

 

 

<URL>

URL of the End User License Agreement for the service

coin:gadgetbaseurl

SP

 

 

 

Used to lookup the OAuth parameters belonging to a gadget. Format is a regular expression matching the URL of the gadget's XML descriptor. Example: https://gadgets.store.com/.* Also used when Shindig acts as the provider in 2-legged OAuth

coin:guest_qualifier

IdP

x

All

All

Some

None

Indicates that no users from this IDP are marked as guest, some users are marked as guest or all users are marked as guest respectively.

coin:hidden

IdP

 

FALSE

boolean

When set or set to TRUE/enabled:

  • The IdP is not listed in metadata for SPs (all entries and SP specific)
  • The IdP does not show up in the SURFconext WAYF
  • The IdP is still functioning and can be accessed via the proxy SSO location

coin:implicit_vo_id

SP

 

 

 

Used when an SP is only accessible by a virtual IdP. Contains the ID of the virtual IdP as set in OpenConext Manage. For more information, see the virtual IdP page.

coin:institution_id

IdP

 

 

 

Abbreviation of the organization. Authoritative source for this field is IDD.

coin:is_provision_sp

SP

 

FALSE

boolean

Indicates if this Service Provider needs JIT provisioning. If it is absent or not checked then NOTHING will be provisioned

coin:is_provision_sp_groups

SP

 

 

boolean

 

coin:no_consent_required

SP

 

FALSE

boolean

Demand that users do not have to give consent to release their personal information

coin:oauth:app_description

SP

 

 

 

OAuth application description. Displayed to a user when he has to authorize the data request. Only used in 3-legged OAuth when Shindig is the data provider.

coin:oauth:app_icon

SP

 

https://www.surfnet.nl/icon.gif

 

The URL of the OAuth application icon image. This URL must be accessible from the internet. Displayed to a user when he has to authorize the data request. Only used in 3-legged OAuth when Shindig is the data provider.

coin:oauth:app_thumbnail

SP

 

https://www.surfnet.nl/thumb.png

 

The URL of the OAuth application logo image. This URL must be accessible from the internet. Displayed to a user when he has to authorize the data request. Only used in 3-legged OAuth when Shindig is the data provider.

coin:oauth:app_title

SP

 

Application Title

 

OAuth application title. Displayed to a user when he has to authorize the data request. Only used in 3-legged OAuth when Shindig is the data provider.

coin:oauth:callback_url

SP

 

 

 

The OAuth callback URL

coin:oauth:consent_not_required

SP

 

 

boolean

 

coin:oauth:consumer_key

SP

 

 

 

When Shindig acts as the consumer in 3-legged OAuth with keytype HMAC_SHA1 or RSA_PRIVATE, this is the consumer key. When Shindig is the provider, this should be a URL matching the consumer (see coin_gadgetbaseurl).

coin:oauth:consumer_secret

SP

 

 

 

When Shindig acts as the consumer in 3-legged OAuth with keytype HMAC_SHA1, this is the consumer secret. When using keytype RSA_PRIVATE, this entry is not necessary but needs to be filled anyway (use a dummy value). Leave blank when Shindig is the provider.

coin:oauth:key_type

SP

 

HMAC_SHA1

HMAC_SHA1

RSA_PRIVATE

 

coin:oauth:public_key

SP

 

 

 

When Shindig acts as the provider in 3-legged OAuth with keytype RSA_PRIVATE, this is the consumer's public key.

coin:oauth:secret

SP

 

 

 

 

coin:oauth:two_legged_allowed

SP

 

 

boolean

 

coin:provide_is_member_of

SP

 

 

boolean

The username of the 'power' user that can create users and groups.

coin:provision_admin

SP

 

 

 

The username of the 'power' user that can create users and groups.

coin:provision_domain

SP

 

 

 

The domain for which users and groups will be provisioned. It is optional but needed for the Google provisioning implementation.

coin:provision_password

SP

 

 

 

The password of the power user.

coin:provision_type

SP

 

google

none

google

The type of provisioning. Currently only Google is implemented.

coin:publish_in_edugain

IdP, SP

 

False

boolean

When set to True/checked: The IdP/SP will be included in the SURFconext metadata for eduGAIN

The actual SURFnet eduGAIN feed is aggregated from the SURFconext metadata.

coin:publish_in_edugain_date

IdP, SP

 

 

<string>

The instant the metadata publication was created.  Creation is loosely defined as the moment  the metadata publication is ready for consumption by external processes.  This may, for example, correspond to the time a document is signed. Time values MUST be expressed in the UTC timezone using the 'Z' timezone identifier. (ie: '2013-05-03T16:31:26Z' ) (See http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/saml-metadata-rpi-v1.0.html element 'creationInstant' )

coin:schachomeorganization

IdP

 

 

 

 

coin:ss:idp_visible_only

SP

 

False

boolean

When set to TRUE/enabled the SP will not be shown inthe SURFconext Dashboard

coin:transparant_issuer

SP

 

False

boolean

When set to TRUE/enabled: the issuer SAML Assertion is set to the issuer as provided by the IdP.

When unset or set to FALSO/disabled: the issuer SAML Assertion is set to the SURFconext

contacts:0:contactType

contacts:1:contactType

contacts:2:contactType

IdP, SP

x

 

technical

support

administrative

billing

other

The type of the contact person.

contacts:0:emailAddress

contacts:1:emailAddress

contacts:2:emailAddress

IdP, SP

x

 

 

Email address of the contact person.

contacts:0:givenName

contacts:1:givenName

contacts:2:givenName

IdP, SP

x

 

 

The contact persons given name.

contacts:0:surName

contacts:1:surName

contacts:2:surName

IdP, SP

x

 

 

The contact persons surname.

contacts:0:telephoneNumber

contacts:1:telephoneNumber

contacts:2:telephoneNumber

IdP, SP

 

 

 

Phone number for the contact person.

description:en

description:nl

IdP, SP

x

 

 

A description of this connection.

displayName:en

displayName:nl

IdP, SP

 

 

 

The display name for this connection, overrides the 'name' in WAYFs.

keywords:en

keywords:nl

IdP

x

 

 

 

logo:0:height

IdP, SP

x

60

 

The height of the IDPs/SPs logo image. Cannot be higher then 48px for SURFconext. Required for MDUI export.

logo:0:url

IdP, SP

x

https://.png

 

The URL of the IDPs/SPs logo image. This URL must be accessible from the public internet.

Preferred location: https://static/surfconext.nl/media/[idp|sp]/<logo-filename>

logo:0:width

IdP, SP

x

120

 

The width of the IDPs logo image. Cannot be wider then 108px for SURFconext. Required for MDUI export.

name:en

name:nl

IdP, SP

x

 

 

The name of this connection.

NameIDFormat

IdP, SP

 

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

urn:oasis:names:tc:SAML:2.0:nameid-format:transient

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified

NameID supported by this connection.

 

The 'SAML:2.0:nameid-format:persistent' is not valid according to theSAML-specs. However it is used by some SURFconext services.

NameIDFormats:0

NameIDFormats:1

NameIDFormats:2

SP

 

urn:oasis:names:tc:SAML:2.0:nameid-format:transient

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

urn:oasis:names:tc:SAML:2.0:nameid-format:transient

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified

SP can handle these NameID Formats

OrganizationDisplayName:en

OrganizationDisplayName:nl

IdP, SP

 

 

 

Optional element identifying the organization responsible for the SAML entity described by the element (Name for human consumption).

OrganizationName:en

OrganizationName:nl

IdP, SP

 

 

 

Optional element identifying the organization responsible for the SAML entity described by the element.

OrganizationURL:en

OrganizationURL:nl

IdP, SP

 

 

 

URL that specify a location to which to direct a user for additional information.

redirect.sign

IdP, SP

x

 

boolean

Demand signing of requests.

(Must be set to True/Checked for OpenASelect IdPs)

shibmd:scope:0:alowed
shibmd:scope:1:alowed
shibmd:scope:2:alowed
shibmd:scope:3:alowed
shibmd:scope:4:alowed

 IdP      

The scope of the IdP. When a scope is provided in the IdPs' metadata this field must be added.

See for more information regarding the shibmd:scope: https://wiki.shibboleth.net/confluence/display/SC/ShibMetaExt+V1.0

shibmd:scope:0:regexp
shibmd:scope:1:regexp
shibmd:scope:2:regexp
shibmd:scope:3:regexp

shibmd:scope:4:regexp

 IdP    False  boolean

When set the Scope of the IdP will be treated as a regular expression.

See for more information regarding the shibmd:scope: https://wiki.shibboleth.net/confluence/display/SC/ShibMetaExt+V1.0

SingleLogoutService_Binding

IdP, SP

 

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

urn:oasis:names:tc:SAML:2.0:bindings:SOAP

urn:oasis:names:tc:SAML:2.0:bindings:PAOS

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact

urn:oasis:names:tc:SAML:2.0:bindings:URI

Binding for the single logout endpoint for connection that supports Single Logout profile [SAMLProf]

 

Not Supported (yet).

SingleLogoutService_Location

IdP, SP

 

 

<Valid HTTPS-URL>

Endpoint for connection that supports the Single Sign Logout profile [SAMLProf].

Not Supported (yet).

SingleSignOnService:0:Binding

IdP

x

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

urn:oasis:names:tc:SAML:2.0:bindings:SOAP

urn:oasis:names:tc:SAML:2.0:bindings:PAOS

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact

urn:oasis:names:tc:SAML:2.0:bindings:URI

Only Supported Bindings:

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

See http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf for more info.

SingleSignOnService:0:Location

IdP

x

 

<Valid HTTPS-URL>

Endpoint for connection that supports the Single Sign On profile [SAMLProf].

SingleSignOnService:1:Binding

IdP

 

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

urn:oasis:names:tc:SAML:2.0:bindings:SOAP

urn:oasis:names:tc:SAML:2.0:bindings:PAOS

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact

urn:oasis:names:tc:SAML:2.0:bindings:URI

Only Supported Bindings:

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

See http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf for more info.

SingleSignOnService:1:Location

IdP

 

 

 

Endpoint for connection that supports the Single Sign On profile [SAMLProf].

url:en

url:nl

SP

x

 

 

An URL pointing to more information about the connection.