'Ucam Federation' IdP metadata

From RavenWiki
Revision as of 16:50, 23 February 2009 by jw35 (talk | contribs)
Jump to navigationJump to search

If you just want your Shibboleth SP to be able to authenticate people from the University using Raven then you only need to supply your SP with metadata describing the Shibboleth IdP provided by Raven (on the other hand, if you want to be able to identify people from all the members of the UK federation then you need a different, bigger, set of metadata).

In due course you'll be able to automatically access a signed metadata file describing the Raven IdP, but in the meantime here's a copy. Store it in a file called ucamfederation-idp-metadata.xml inside the same directory as the main shibboleth2.xml configuration file. Be careful not to corrupt or reformat this file when extracting it from this page - wikis are not the best vehicle for software distribution.

<!--
	Ucam federation IdP metadata
-->
<EntitiesDescriptor 
  xmlns="urn:oasis:names:tc:SAML:2.0:metadata" 
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
  xsi:schemaLocation="urn:oasis:names:tc:SAML:2.0:metadata   sstc-saml-schema-metadata-2.0.xsd   urn:mace:shibboleth:metadata:1.0   shibboleth-metadata-1.0.xsd   http://www.w3.org/2001/04/xmlenc#   xenc-schema.xsd   http://www.w3.org/2000/09/xmldsig#   xmldsig-core-schema.xsd" 
  Name="https://shib.raven.cam.ac.uk/ucamfederation/" >

    <Extensions>
        <shibmeta:KeyAuthority 
          xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0" 
          VerifyDepth="3">

        <!--
        The KeyAuthority element's VerifyDepth attribute must be at least as
        large as the verification depth required by each root certificate 
        below.
        -->
             
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

            <!--
            GTE CyberTrust Global Root
            * CN=GTE CyberTrust Global Root, 
              OU=GTE CyberTrust Solutions, Inc.,
              O=GTE Corporation, C=US

            This is used to sign:

            * CN=Cybertrust Educational CA, OU=Educational CA, 
              O=Cybertrust, C=BE

            This in turn is used to sign SureServer EDU end certificates.
				
            One intermediate CA below the root, so requires a verification 
            depth of at least 2.

            Validity
              Not Before: Aug 13 00:29:00 1998 GMT
              Not After : Aug 13 23:59:00 2018 GMT
            -->
                <ds:X509Data>
                    <ds:X509Certificate>MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYD
VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv
bHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJv
b3QwHhcNOTgwODEzMDAyOTAwWhcNMTgwODEzMjM1OTAwWjB1MQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
b2JhbCBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVD6C28FCc6HrH
iM3dFw4usJTQGz0O9pTAipTHBsiQl8i4ZBp6fmw8U+E3KHNgf7KXUwefU/ltWJTS
r41tiGeA5u2ylc9yMcqlHHK6XALnZELn+aks1joNrI1CqiQBOeacPwGFVw1Yh0X4
04Wqk2kmhXBIgD8SFcd5tB8FLztimQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAG3r
GwnpXtlR22ciYaQqPEh346B8pt5zohQDhT37qw4wxYMWM4ETCJ57NE7fQMh017l9
3PR2VX2bY1QY6fDq81yx2YtCHrnAlU66+tXifPVoYb+O7AWXX1uw16OFNMQkpw0P
lZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/
</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </shibmeta:KeyAuthority>
    </Extensions>
	
    <EntityDescriptor entityID="https://shib.raven.cam.ac.uk/shibboleth">

        <Extensions>
            <shibmeta:Scope 
              xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0" 
              regexp="false">cam.ac.uk</shibmeta:Scope>
            <shibmeta:Scope 
              xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0" 
              regexp="false">eresources.lib.cam.ac.uk</shibmeta:Scope>
        </Extensions>

        <IDPSSODescriptor 
          protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
            <Extensions>
                <shibmeta:Scope 
                  xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0" 
                  regexp="false">cam.ac.uk</shibmeta:Scope>
                <shibmeta:Scope 
                  xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0" 
                  regexp="false">eresources.lib.cam.ac.uk</shibmeta:Scope>
            </Extensions>
            <KeyDescriptor use="signing">
                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:KeyName>shib.raven.cam.ac.uk</ds:KeyName>
                </ds:KeyInfo>
            </KeyDescriptor>
            <ArtifactResolutionService 
              Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" 
              Location="https://shib.raven.cam.ac.uk:8443/shibboleth-idp/Artifact" 
              index="1"></ArtifactResolutionService>
            <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
            <SingleSignOnService 
              Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" 
              Location="https://shib.raven.cam.ac.uk/shibboleth-idp/SSO"></SingleSignOnService>
        </IDPSSODescriptor>

        <AttributeAuthorityDescriptor 
          protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
            <Extensions>
                <shibmeta:Scope 
                  xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0" 
                  regexp="false">cam.ac.uk</shibmeta:Scope>
                <shibmeta:Scope 
                  xmlns:shibmeta="urn:mace:shibboleth:metadata:1.0" 
                  regexp="false">eresources.lib.cam.ac.uk</shibmeta:Scope>
            </Extensions>
            <KeyDescriptor use="signing">
                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                    <ds:KeyName>shib.raven.cam.ac.uk</ds:KeyName>
                </ds:KeyInfo>
            </KeyDescriptor>
            <AttributeService 
              Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" 
              Location="https://shib.raven.cam.ac.uk:8443/shibboleth-idp/AA"></AttributeService>
            <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
        </AttributeAuthorityDescriptor>

        <Organization>
            <OrganizationName 
              xml:lang="en">University of Cambridge</OrganizationName>
            <OrganizationDisplayName 
              xml:lang="en">University of Cambridge (pilot)</OrganizationDisplayName>
            <OrganizationURL 
              xml:lang="en">http://www.cam.ac.uk/</OrganizationURL>
        </Organization>

        <ContactPerson contactType="support">
            <GivenName>Raven Support</GivenName>
            <EmailAddress>mailto:raven-support@ucs.cam.ac.uk</EmailAddress>
        </ContactPerson>

        <ContactPerson contactType="technical">
            <GivenName>Jon</GivenName>
            <SurName>Warbrick</SurName>
            <EmailAddress>mailto:jw35@cam.ac.uk</EmailAddress>
        </ContactPerson>

        <ContactPerson contactType="administrative">
            <GivenName>Jon</GivenName>
            <SurName>Warbrick</SurName>
            <EmailAddress>mailto:jw35@cam.ac.uk</EmailAddress>
        </ContactPerson>

    </EntityDescriptor>

</EntitiesDescriptor>