-
Notifications
You must be signed in to change notification settings - Fork 4
Description of metadata fields
Name |
For |
Req |
Default value |
Allowed values |
Description |
---|---|---|---|---|---|
AssertionConsumerService:0:Binding |
SP |
x |
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST |
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect |
Only Supported Bindings: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect See http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf for more info. |
AssertionConsumerService:0:index |
SP |
|
|
<number> |
The index number of the Binding, might be different from the number in the Name. |
AssertionConsumerService:0:Location |
SP |
x |
|
<valid HTTPS-URL> |
Endpoint for connection that supports the Authentication Request protocol. |
AssertionConsumerService:1:Binding |
SP |
|
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST |
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect |
Only Supported Bindings: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect See http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf for more info. |
AssertionConsumerService:1:index |
SP |
|
|
<number> |
The index number of the Binding, might be different from the number in the Name. |
AssertionConsumerService:1:Location |
SP |
|
|
<valid HTTPS-URL> |
Endpoint for connection that supports the Authentication Request protocol. |
certData |
IdP |
x |
|
<string> |
Base 64 encoded certificate used for this connection. |
certData |
IdP, SP |
|
|
<string> |
Base 64 encoded certificate used for this connection. |
certData2 |
IdP, SP |
|
|
<string> |
Fallback base 64 encoded certificate used for this connection. Most likely used when this entity migrates to a new signing certificate. |
certData3 |
IdP, SP |
|
|
<string> |
Fallback base 64 encoded certificate used for this connection. Most likely used when this entity migrates to a new signing certificate. |
coin:additional_logging |
IdP, SP |
|
|
boolean |
When not set or is FALSE/unchecked only logging is produced when an error occurs in the flow. When TRUE/checked logging is always produced. |
coin:alternate_private_key |
SP |
|
|
<string> |
Overrides the private signing key used by SURFconext for this Service Provider |
coin:alternate_public_key |
SP |
|
|
<string> |
Overrides the public signing key used by SURFconext for this Service Provider |
coin:application_url |
SP |
|
Application URL |
|
|
coin:disable_scoping |
IdP |
|
FALSE |
boolean |
Must be set to TRUE/enabled for ADFS2.0 IdPs When unset or set to FALSE/disabled the scoping-element in the authn statement contains: <samlp:Scoping ProxyCount="10"> <samlp:RequesterID>https://engine.surfconext.nl/authentication/sp/metadata</samlp:RequesterID> </samlp:Scoping> |
coin:display_unconnected_idps_wayf | SP | FALSE | boolean |
The WAYF for this SP will show all IdP's, allowed by the ACL or not. End-users can request access for the not allowed IdP's. See IdP access requests page for more details. |
|
coin:do_not_add_attribute_aliases |
SP |
|
FALSE |
boolean |
When unset or set to FALSE/disabled: attributes provided in the SAML Assertion contain both the oid as the named/human readable attributes. When set or set to TRUE/enabled: only the named/human readable attributes are provided. Set only to true/enabled when SP can not handle both oid and human-readable attributes. Eg: Unset/unchecked gives both urn:mace:dir:attribute-def:cn and urn:oid:2.5.4.3. Checked gives only urn:mace:dir:attribute-def:cn |
coin:eula |
SP |
|
|
<URL> |
URL of the End User License Agreement for the service |
coin:gadgetbaseurl |
SP |
|
|
|
Used to lookup the OAuth parameters belonging to a gadget. Format is a regular expression matching the URL of the gadget's XML descriptor. Example: https://gadgets.store.com/.* Also used when Shindig acts as the provider in 2-legged OAuth |
coin:guest_qualifier |
IdP |
x |
All |
All |
Indicates that no users from this IDP are marked as guest, some users are marked as guest or all users are marked as guest respectively. |
coin:hidden |
IdP |
|
FALSE |
boolean |
When set or set to TRUE/enabled:
|
coin:implicit_vo_id |
SP |
|
|
|
Used when an SP is only accessible by a virtual IdP. Contains the ID of the virtual IdP as set in OpenConext Manage. For more information, see the virtual IdP page. |
coin:institution_id |
IdP |
|
|
|
Abbreviation of the organization. Authoritative source for this field is IDD. |
coin:is_provision_sp |
SP |
|
FALSE |
boolean |
Indicates if this Service Provider needs JIT provisioning. If it is absent or not checked then NOTHING will be provisioned |
coin:is_provision_sp_groups |
SP |
|
|
boolean |
|
coin:no_consent_required |
SP |
|
FALSE |
boolean |
Demand that users do not have to give consent to release their personal information |
coin:oauth:app_description |
SP |
|
|
|
OAuth application description. Displayed to a user when he has to authorize the data request. Only used in 3-legged OAuth when Shindig is the data provider. |
coin:oauth:app_icon |
SP |
|
https://www.surfnet.nl/icon.gif |
|
The URL of the OAuth application icon image. This URL must be accessible from the internet. Displayed to a user when he has to authorize the data request. Only used in 3-legged OAuth when Shindig is the data provider. |
coin:oauth:app_thumbnail |
SP |
|
https://www.surfnet.nl/thumb.png |
|
The URL of the OAuth application logo image. This URL must be accessible from the internet. Displayed to a user when he has to authorize the data request. Only used in 3-legged OAuth when Shindig is the data provider. |
coin:oauth:app_title |
SP |
|
Application Title |
|
OAuth application title. Displayed to a user when he has to authorize the data request. Only used in 3-legged OAuth when Shindig is the data provider. |
coin:oauth:callback_url |
SP |
|
|
|
The OAuth callback URL |
coin:oauth:consent_not_required |
SP |
|
|
boolean |
|
coin:oauth:consumer_key |
SP |
|
|
|
When Shindig acts as the consumer in 3-legged OAuth with keytype HMAC_SHA1 or RSA_PRIVATE, this is the consumer key. When Shindig is the provider, this should be a URL matching the consumer (see coin_gadgetbaseurl). |
coin:oauth:consumer_secret |
SP |
|
|
|
When Shindig acts as the consumer in 3-legged OAuth with keytype HMAC_SHA1, this is the consumer secret. When using keytype RSA_PRIVATE, this entry is not necessary but needs to be filled anyway (use a dummy value). Leave blank when Shindig is the provider. |
coin:oauth:key_type |
SP |
|
HMAC_SHA1 |
HMAC_SHA1 |
|
coin:oauth:public_key |
SP |
|
|
|
When Shindig acts as the provider in 3-legged OAuth with keytype RSA_PRIVATE, this is the consumer's public key. |
coin:oauth:secret |
SP |
|
|
|
|
coin:oauth:two_legged_allowed |
SP |
|
|
boolean |
|
coin:provide_is_member_of |
SP |
|
|
boolean |
The username of the 'power' user that can create users and groups. |
coin:provision_admin |
SP |
|
|
|
The username of the 'power' user that can create users and groups. |
coin:provision_domain |
SP |
|
|
|
The domain for which users and groups will be provisioned. It is optional but needed for the Google provisioning implementation. |
coin:provision_password |
SP |
|
|
|
The password of the power user. |
coin:provision_type |
SP |
|
|
none |
The type of provisioning. Currently only Google is implemented. |
coin:publish_in_edugain |
IdP, SP |
|
False |
boolean |
When set to True/checked: The IdP/SP will be included in the SURFconext metadata for eduGAIN The actual SURFnet eduGAIN feed is aggregated from the SURFconext metadata. |
coin:publish_in_edugain_date |
IdP, SP |
|
|
<string> |
The instant the metadata publication was created. Creation is loosely defined as the moment the metadata publication is ready for consumption by external processes. This may, for example, correspond to the time a document is signed. Time values MUST be expressed in the UTC timezone using the 'Z' timezone identifier. (ie: '2013-05-03T16:31:26Z' ) (See http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/saml-metadata-rpi-v1.0.html element 'creationInstant' ) |
coin:schachomeorganization |
IdP |
|
|
|
|
coin:ss:idp_visible_only |
SP |
|
False |
boolean |
When set to TRUE/enabled the SP will not be shown inthe SURFconext Dashboard |
coin:transparant_issuer |
SP |
|
False |
boolean |
When set to TRUE/enabled: the issuer SAML Assertion is set to the issuer as provided by the IdP. When unset or set to FALSO/disabled: the issuer SAML Assertion is set to the SURFconext |
contacts:0:contactType |
IdP, SP |
x |
|
technical |
The type of the contact person. |
contacts:0:emailAddress |
IdP, SP |
x |
|
|
Email address of the contact person. |
contacts:0:givenName |
IdP, SP |
x |
|
|
The contact persons given name. |
contacts:0:surName |
IdP, SP |
x |
|
|
The contact persons surname. |
contacts:0:telephoneNumber |
IdP, SP |
|
|
|
Phone number for the contact person. |
description:en |
IdP, SP |
x |
|
|
A description of this connection. |
displayName:en |
IdP, SP |
|
|
|
The display name for this connection, overrides the 'name' in WAYFs. |
keywords:en |
IdP |
x |
|
|
|
logo:0:height |
IdP, SP |
x |
60 |
|
The height of the IDPs/SPs logo image. Cannot be higher then 48px for SURFconext. Required for MDUI export. |
logo:0:url |
IdP, SP |
x |
https://.png |
|
The URL of the IDPs/SPs logo image. This URL must be accessible from the public internet. Preferred location: https://static/surfconext.nl/media/[idp|sp]/<logo-filename> |
logo:0:width |
IdP, SP |
x |
120 |
|
The width of the IDPs logo image. Cannot be wider then 108px for SURFconext. Required for MDUI export. |
name:en |
IdP, SP |
x |
|
|
The name of this connection. |
NameIDFormat |
IdP, SP |
|
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent |
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified |
NameID supported by this connection.
The 'SAML:2.0:nameid-format:persistent' is not valid according to theSAML-specs. However it is used by some SURFconext services. |
NameIDFormats:0 |
SP |
|
urn:oasis:names:tc:SAML:2.0:nameid-format:transient |
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified |
SP can handle these NameID Formats |
OrganizationDisplayName:en |
IdP, SP |
|
|
|
Optional element identifying the organization responsible for the SAML entity described by the element (Name for human consumption). |
OrganizationName:en |
IdP, SP |
|
|
|
Optional element identifying the organization responsible for the SAML entity described by the element. |
OrganizationURL:en |
IdP, SP |
|
|
|
URL that specify a location to which to direct a user for additional information. |
redirect.sign |
IdP, SP |
x |
|
boolean |
Demand signing of requests. (Must be set to True/Checked for OpenASelect IdPs) |
shibmd:scope:0:alowed |
IdP |
The scope of the IdP. When a scope is provided in the IdPs' metadata this field must be added. See for more information regarding the shibmd:scope: https://wiki.shibboleth.net/confluence/display/SC/ShibMetaExt+V1.0 |
|||
shibmd:scope:0:regexp shibmd:scope:4:regexp |
IdP | False | boolean |
When set the Scope of the IdP will be treated as a regular expression. See for more information regarding the shibmd:scope: https://wiki.shibboleth.net/confluence/display/SC/ShibMetaExt+V1.0 |
|
SingleLogoutService_Binding |
IdP, SP |
|
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect |
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect |
Binding for the single logout endpoint for connection that supports Single Logout profile [SAMLProf]
Not Supported (yet). |
SingleLogoutService_Location |
IdP, SP |
|
|
<Valid HTTPS-URL> |
Endpoint for connection that supports the Single Sign Logout profile [SAMLProf]. Not Supported (yet). |
SingleSignOnService:0:Binding |
IdP |
x |
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect |
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect |
Only Supported Bindings: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect See http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf for more info. |
SingleSignOnService:0:Location |
IdP |
x |
|
<Valid HTTPS-URL> |
Endpoint for connection that supports the Single Sign On profile [SAMLProf]. |
SingleSignOnService:1:Binding |
IdP |
|
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect |
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect |
Only Supported Bindings: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect See http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf for more info. |
SingleSignOnService:1:Location |
IdP |
|
|
|
Endpoint for connection that supports the Single Sign On profile [SAMLProf]. |
url:en |
SP |
x |
|
|
An URL pointing to more information about the connection. |