This example shows an Identity Provider (IdP) metadata document.
An IdP metadata must contain:
- Unique identifier (
EntityID
) of the IdP SingleSignOnService
(SSO) endpoint(s) where the Service Provider (SP) will send SAML authentication requests
The following optional information is commonly included in IdP metadata documents:
WantAuthnRequestsSigned
indicating whether the IdP wants signed authentication requestsSingleLogoutService
(SLO) endpoint(s) where the SP will send logout requests and responsesArtifactResolutionService
(ARS) endpoint(s) where the SP will swap an artifact for the corresponding protocol message when using HTTP-Artifact binding- The supported NameID formats
- IdP's public signing key
- Information about the
Organization
responsible for this IdP, includingContact
information - Information about the metadata document itself, such as unique
ID
and how long its valid until - An embedded XML
Signature
as the metadata document can be signed. This provides a mechanism for the metadata consumer to verify the integrity of the document
<EntityDescriptor
ID="_c066524f-ba36-49d5-9dfa-ae14e13c1392"
entityID="https://idp.identityserver"
validUntil="2022-07-20T09:48:54Z"
cacheDuration="PT15M"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.identityserver/saml/sso" />
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.identityserver/saml/sso" />
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://idp.identityserver/saml/sso" />
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.identityserver/saml/slo" />
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.identityserver/saml/slo" />
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://idp.identityserver/saml/slo" />
<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.identityserver/saml/ars" index="0" />
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<KeyDescriptor use="signing">
<KeyInfo
xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>IDP_PUBLIC_SIGNING_CERTIFICATE_USED_FOR_SIGNING_RESPONSES</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
</IDPSSODescriptor>
<Organization>
<OrganizationName xml:lang="en-GB">Example</OrganizationName>
<OrganizationDisplayName xml:lang="en-GB">Example Org</OrganizationDisplayName>
<OrganizationURL xml:lang="en-GB">https://example.com/</OrganizationURL>
</Organization>
<ContactPerson contactType="technical">
<Company>Example</Company>
<GivenName>bob</GivenName>
<SurName>smith</SurName>
<EmailAddress>bob@example.com</EmailAddress>
</ContactPerson>
</EntityDescriptor>