Newer
Older
Jaime Pérez Crespo
committed
SAML V2.0 Metadata Extensions for Registration and Publication Information
=============================
<!--
This file is written in Markdown syntax.
For more information about how to use the Markdown syntax, read here:
http://daringfireball.net/projects/markdown/syntax
-->
* Author: Jaime Perez [jaime.perez@uninett.no](mailto:jaime.perez@uninett.no)
<!-- {{TOC}} -->
This is a reference for the SimpleSAMLphp implementation of the [SAML
V2.0 Metadata Extensions for Registration and Publication Information](http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/saml-metadata-rpi-v1.0.html)
defined by OASIS.
This extension aims to provide information about the registrars and publishers of the metadata themselves, and it is therefore
available throught different endpoints and modules that provide metadata all along SimpleSAMLphp. More specifically, this
Jaime Pérez Crespo
committed
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
extension can be used for:
- metadata published for a [hosted service provider](./saml:sp).
- metadata published for a [hosted identity provider](./simplesamlphp-reference-idp-hosted).
- metadata collected and published by means of the [`aggregator`](./aggregator:aggregator) or [`aggregator2`](./aggregator2:aggregator2) modules.
Currently, only the `<mdrpi:RegistrationInfo>` element is supported.
Depending on the metadata set you want to add this extension to, you will have to configure it on the corresponding
configuration file:
- `metadata/saml20-idp-hosted.php` for hosted identity providers.
- `config/authsources.php` for hosted service providers.
- `config/module_aggregator.php` for the `aggregator` module.
- `config/module_aggregator2.php` for the `aggregator2` module.
RegistrationInfo Items
----------------------
The configuration is the same for all the different files, and consists of a single directive called `RegistrationInfo`, which
**must** be an indexed array with the following options:
`authority`
: A string containing an identifier of the authority who has registered this metadata. This parameter is **mandatory**.
`instant`
: A string containing the instant when the entity or entities where registered by the authority. This parameter is
optional, and must be expressed in the UTC timezone with the *zulu* (`Z`) timezone identifier. If omitted, there will be no
`registrationInstant` in the resulting metadata, except in the `aggregator2` module, which will use the instant when the metadata
was generated.
`policies`
: An indexed array containing URLs pointing to the policy under which the entity or entities where registered. Each
index must be the language code corresponding to the language of the URL. This parameter is optional, and will be omitted in the
resulting metadata if not configured.
Examples
--------
Service Provider:
'default-sp' => array(
'saml:SP',
'entityID' => NULL,
...
'RegistrationInfo' => array(
'authority' => 'urn:mace:sp.example.org',
'instant' => '2008-01-17T11:28:03.577Z',
'policies' => array('en' => 'http://sp.example.org/policy', 'es' => 'http://sp.example.org/politica'),
),
),
Identity Provider:
$metadata['__DYNAMIC:1__'] = array(
'host' => '__DEFAULT__',
...
'RegistrationInfo' => array(
'authority' => 'urn:mace:idp.example.org',
'instant' => '2008-01-17T11:28:03.577Z',
),
);
`aggregator` module:
$config = array(
'aggregators' => array(
...
),
'maxDuration' => 60*60*24*5,
'reconstruct' => FALSE,
...
'RegistrationInfo' => array(
'authority' => 'urn:mace:example.federation',
'instant' => '2008-01-17T11:28:03Z',
'policies' => array('en' => 'http://example.org/federation_policy', 'es' => 'https://example.org/politica_federacion'),
),
);
`aggregator2` module:
$config = array(
'example.org' => array(
'sources' => array(
...
),
'RegistrationInfo' => array(
'authority' => 'urn:mace:example.federation',
'policies' => array('en' => 'http://example.org/federation_policy', 'es' => 'https://example.org/politica_federacion'),
),
),
);