SAML metadata

Feb 22, 2012 · 3 min read · SAML ·

Metadata is information used in the SAML protocol to expose the configuration of a SAML entity, like a SP or IdP. Metadata define things like what service is available, addresses and certificates. Metadata is defined in XML. A SP uses the Metadata to know how to communicate with the IdP and vise versa.

Metadata is exchanged between the SP and the IDP. There is no protocol how the exchange is done, but there are no secret information in the metadata so the XML can be freely distributed by mail or published in clear text on the Internet. It is however highly recommended that the metadata is protected from unauthorized modification, this could be a good start on a Man-In-The-Middle attack. The integrity of the Metadata could be protected using for example digital signatures or by transporting the metadata using some secure channel(USB, VPN etc)

Need a complete understanding of SAML 2.0?

Have a look on the book SAML 2.0: Designing secure identity federation!

A metadata file for a SAML Web Browser SSO Profile IdP could for example contain the following.

Location of its Single Sing On service, Artifact Resolution Service and Single Logout Service.
An ID identifying the provider.
Signature of the metadata and public keys for verifying and encrypting further communication.

The file usually include information about if the IdP want the communication signed or encrypted.

A metadata file for the SP would contain pretty much the same but instead of Artifact Resolution Service have the location of its Assertion Consumer Service.

Metadata could contain lots of other information. For a full description have a look at the SAML specifications

Here is an example of metadata from IdP and SP. Usually these files can be generated by the application handling the SAML communication.

IdP

 1<?xml version="1.0"?>
 2<md:EntityDescriptor 
 3    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
 4    validUntil="2021-05-14T14:40:17Z" 
 5    cacheDuration="PT1621435217S" 
 6    entityID="exampleidp" 
 7    ID="pfx15f5264e-2c11-4717-9e15-b301b1d6bfd9">
 8  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 9    <ds:SignedInfo>
10      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
11      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
12      <ds:Reference URI="#pfx15f5264e-2c11-4717-9e15-b301b1d6bfd9">
13        <ds:Transforms>
14          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
15          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
16        </ds:Transforms>
17        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
18        <ds:DigestValue>GNLMMU8+ofuHdjn7Lef7drkEnNk=</ds:DigestValue>
19      </ds:Reference>
20    </ds:SignedInfo>
21    <ds:SignatureValue>
22===============  Meta data signature =============
23    </ds:SignatureValue>
24    <ds:KeyInfo>
25      <ds:X509Data>
26        <ds:X509Certificate>
27===============  Public certificate for meta data signature ============= 
28        </ds:X509Certificate>
29      </ds:X509Data>
30    </ds:KeyInfo>
31  </ds:Signature>
32  <md:IDPSSODescriptor 
33      WantAuthnRequestsSigned="false" 
34      protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
35    <md:KeyDescriptor use="signing">
36      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
37        <ds:X509Data>
38          <ds:X509Certificate>
39===============  SP public certificate for verifying signatures =============
40          </ds:X509Certificate>
41        </ds:X509Data>
42      </ds:KeyInfo>
43    </md:KeyDescriptor>
44    <md:KeyDescriptor use="encryption">
45      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
46        <ds:X509Data>
47          <ds:X509Certificate>
48===============  SP public certificate for encrypting =============
49          </ds:X509Certificate>
50        </ds:X509Data>
51      </ds:KeyInfo>
52    </md:KeyDescriptor>
53    <md:SingleLogoutService 
54        Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
55        Location="https://exampleidp.com/idp/singleSignOnService"/>
56    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
57    <md:SingleSignOnService 
58        Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
59        Location="https://exampleidp.com/idp/singleSignOnService"/>
60  </md:IDPSSODescriptor>
61</md:EntityDescriptor>

SP

 1<?xml version="1.0"?>
 2<md:EntityDescriptor 
 3    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
 4    validUntil="2021-05-14T15:02:56Z" 
 5    cacheDuration="PT604800S" 
 6    entityID="TestSP" 
 7    ID="pfx92d25019-cd26-c6ff-465b-0751318a302b">
 8  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 9    <ds:SignedInfo>
10      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
11      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
12      <ds:Reference URI="#pfx92d25019-cd26-c6ff-465b-0751318a302b">
13        <ds:Transforms>
14          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
15          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
16        </ds:Transforms>
17        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
18        <ds:DigestValue>
19=============== Meta data signature digest =============        
20       </ds:DigestValue>
21      </ds:Reference>
22    </ds:SignedInfo>
23    <ds:SignatureValue>
24=============== Meta data signature =============
25    </ds:SignatureValue>
26    <ds:KeyInfo>
27      <ds:X509Data>
28        <ds:X509Certificate>
29=============== Public certificate for meta data signature ============= 
30        </ds:X509Certificate>
31      </ds:X509Data>
32    </ds:KeyInfo>
33  </ds:Signature>
34  <md:SPSSODescriptor 
35      AuthnRequestsSigned="true" 
36      WantAssertionsSigned="true" 
37      protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
38    <md:KeyDescriptor use="signing">
39      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
40        <ds:X509Data>
41          <ds:X509Certificate>
42===============  IdP public certificate for verifying signatures =============
43          </ds:X509Certificate>
44        </ds:X509Data>
45      </ds:KeyInfo>
46    </md:KeyDescriptor>
47    <md:KeyDescriptor use="encryption">
48      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
49        <ds:X509Data>
50          <ds:X509Certificate>
51===============  IdP public certificate for encrypting =============
52          </ds:X509Certificate>
53        </ds:X509Data>
54      </ds:KeyInfo>
55    </md:KeyDescriptor>
56    <md:SingleLogoutService 
57        Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
58        Location="https://examplesp.com/sp/artifactConsumer"/>
59    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
60    <md:AssertionConsumerService 
61        Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
62        Location="https://examplesp.com/sp/artifactConsumer" 
63        index="1"/>
64  </md:SPSSODescriptor>
65</md:EntityDescriptor>

SAML metadata

Ad

IdP

SP