ePrivacy and GPDR Cookie Consent by Cookie Consent

SAML metadata

Metadata is information used in the SAML protocol to expose the configuration of a SAML entity, like a SP or IdP. Metadata define things like what service is available, addresses and certificates. Metadata is defined in XML. A SP uses the Metadata to know how to communicate with the IdP and vise versa.

Metadata is exchanged beetween the SP and the IDP. There is no protocol how the exchange is done, but there are no secret information in the metadata so the XML can be freely distributed by mail or published in clear text on the Internet. It is however highly recommended that the metadata is protected from unauthorized modification, this could be a good start on a Man-In-The-Middle attack. The integrity of the Metadata could be protected using for example digital signatures or by transporting the metadata using some secure channel(USB, VPN etc)

A metadata file for a SAML Web Browser SSO Profile IdP could for example contain the following.

  • Location of its Single Sing On service, Artifact Resolution Service and Single Logout Service.
  • An ID identifying the provider.
  • Signature of the metadata and public keys for verifying and encrypting further communication.

The file usually include information about if the IdP want the communication signed or encrypted.

A metadata file for the SP would contain pretty much the same but instead of Artifact Resolution Service have the location of its Assertion Consumer Service.

Metadata could contain lots of other information. For a full description have a look at the SAML specifications

Here is an example of metadata from IdP and SP. Usually these files can be generated by the application handling the SAML comunication.

IdP

 1<?xml version="1.0"?>
 2<md:EntityDescriptor 
 3    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
 4    validUntil="2021-05-14T14:40:17Z" 
 5    cacheDuration="PT1621435217S" 
 6    entityID="exampleidp" 
 7    ID="pfx15f5264e-2c11-4717-9e15-b301b1d6bfd9">
 8  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 9    <ds:SignedInfo>
10      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
11      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
12      <ds:Reference URI="#pfx15f5264e-2c11-4717-9e15-b301b1d6bfd9">
13        <ds:Transforms>
14          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
15          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
16        </ds:Transforms>
17        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
18        <ds:DigestValue>GNLMMU8+ofuHdjn7Lef7drkEnNk=</ds:DigestValue>
19      </ds:Reference>
20    </ds:SignedInfo>
21    <ds:SignatureValue>
22===============  Meta data signature =============
23    </ds:SignatureValue>
24    <ds:KeyInfo>
25      <ds:X509Data>
26        <ds:X509Certificate>
27===============  Public certificate for meta data signature ============= 
28        </ds:X509Certificate>
29      </ds:X509Data>
30    </ds:KeyInfo>
31  </ds:Signature>
32  <md:IDPSSODescriptor 
33      WantAuthnRequestsSigned="false" 
34      protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
35    <md:KeyDescriptor use="signing">
36      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
37        <ds:X509Data>
38          <ds:X509Certificate>
39===============  SP public certificate for verifying signatures =============
40          </ds:X509Certificate>
41        </ds:X509Data>
42      </ds:KeyInfo>
43    </md:KeyDescriptor>
44    <md:KeyDescriptor use="encryption">
45      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
46        <ds:X509Data>
47          <ds:X509Certificate>
48===============  SP public certificate for encrypting =============
49          </ds:X509Certificate>
50        </ds:X509Data>
51      </ds:KeyInfo>
52    </md:KeyDescriptor>
53    <md:SingleLogoutService 
54        Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
55        Location="https://exampleidp.com/idp/singleSignOnService"/>
56    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
57    <md:SingleSignOnService 
58        Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
59        Location="https://exampleidp.com/idp/singleSignOnService"/>
60  </md:IDPSSODescriptor>
61</md:EntityDescriptor>

SP

 1<?xml version="1.0"?>
 2<md:EntityDescriptor 
 3    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
 4    validUntil="2021-05-14T15:02:56Z" 
 5    cacheDuration="PT604800S" 
 6    entityID="TestSP" 
 7    ID="pfx92d25019-cd26-c6ff-465b-0751318a302b">
 8  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 9    <ds:SignedInfo>
10      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
11      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
12      <ds:Reference URI="#pfx92d25019-cd26-c6ff-465b-0751318a302b">
13        <ds:Transforms>
14          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
15          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
16        </ds:Transforms>
17        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
18        <ds:DigestValue>
19=============== Meta data signature digest =============        
20       </ds:DigestValue>
21      </ds:Reference>
22    </ds:SignedInfo>
23    <ds:SignatureValue>
24=============== Meta data signature =============
25    </ds:SignatureValue>
26    <ds:KeyInfo>
27      <ds:X509Data>
28        <ds:X509Certificate>
29=============== Public certificate for meta data signature ============= 
30        </ds:X509Certificate>
31      </ds:X509Data>
32    </ds:KeyInfo>
33  </ds:Signature>
34  <md:SPSSODescriptor 
35      AuthnRequestsSigned="true" 
36      WantAssertionsSigned="true" 
37      protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
38    <md:KeyDescriptor use="signing">
39      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
40        <ds:X509Data>
41          <ds:X509Certificate>
42===============  IdP public certificate for verifying signatures =============
43          </ds:X509Certificate>
44        </ds:X509Data>
45      </ds:KeyInfo>
46    </md:KeyDescriptor>
47    <md:KeyDescriptor use="encryption">
48      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
49        <ds:X509Data>
50          <ds:X509Certificate>
51===============  IdP public certificate for encrypting =============
52          </ds:X509Certificate>
53        </ds:X509Data>
54      </ds:KeyInfo>
55    </md:KeyDescriptor>
56    <md:SingleLogoutService 
57        Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" 
58        Location="https://examplesp.com/sp/artifactConsumer"/>
59    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
60    <md:AssertionConsumerService 
61        Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
62        Location="https://examplesp.com/sp/artifactConsumer" 
63        index="1"/>
64  </md:SPSSODescriptor>
65</md:EntityDescriptor>