SAML Metadata Specification
Generated by GPT-5-miniExpansion Funnel Raw 68 → Dedup 0 → NER 0 → Enqueued 0
| SAML Metadata Specification | |
|---|---|
| Title | SAML Metadata Specification |
| Status | OASIS standard |
| Domain | Identity federation |
| First published | 2005 |
| Latest release | 2.0 |
SAML Metadata Specification The SAML Metadata Specification defines an XML-based format for publishing configuration and trust information about SAML entities to enable interoperability among identity providers, service providers, and federation operators. It provides machine-readable descriptions that facilitate automated trust establishment, protocol endpoints, and cryptographic keys in distributed systems connecting Shibboleth, Microsoft Active Directory Federation Services, Okta, Ping Identity, and other federation software. The specification sits alongside related standards such as SAML 2.0, XACML, and OAuth 2.0 in identity and access management deployments.
Overview and Purpose
The specification’s primary purpose is to express metadata for SAML 2.0 participants so that federation operators, identity providers, and service providers can exchange interoperable descriptions of endpoints, supported profiles, and keying material. It supports automated configuration used by implementations like Shibboleth, AD FS, PingFederate, SimpleSAMLphp, and commercial products from Oracle Corporation, IBM, Oracle and ForgeRock. Metadata enables discovery and trust linking for scenarios involving InCommon, eduGAIN, GÉANT, Liberty Alliance, and other federation frameworks.
Structure and Components
Metadata documents are organized into elements such as EntityDescriptor, EntitiesDescriptor, RoleDescriptor, IDPSSODescriptor, and SPSSODescriptor which capture identity and service roles. These elements reference endpoints for bindings like HTTP-Redirect, HTTP-POST, and Artifact used by implementations including Shibboleth Service Provider, SimpleSAMLphp, OneLogin, and Kerberos-integrated solutions. Components include KeyDescriptor for certificates issued by authorities such as DigiCert, Let's Encrypt, Entrust, or internal PKI run by organizations like MIT, Stanford University, University of Oxford, and corporate IT departments.
XML Schema and Namespaces
The specification provides an XML Schema (XSD) that constrains element structure, attribute types, and allowed namespaces. It reuses namespace-qualified types from XML Signature and XML Encryption standards developed by the W3C and complements schemas from SAML 2.0 Protocols, SAML 2.0 Assertions, and other OASIS work. Namespaces are critical for interoperability among implementations such as OpenSAML, pySAML2, ruby-saml, and java-saml libraries used by vendors including Google, Amazon Web Services, Salesforce, and Atlassian.
Security Considerations and Signatures
Security guidance in the specification emphasizes signed metadata, certificate management, and trust anchoring to avoid risks exploited in incidents involving misissued certificates or misconfiguration. Metadata signing uses XML Signature with algorithms endorsed by bodies such as NIST and requires careful validation practices adopted by Shibboleth, Ping Identity, Okta, Azure AD, and Google Workspace. Operators coordinate trust via federation operators like InCommon and eduGAIN and by consulting standards such as RFC 5280 for certificate processing and IETF recommendations for algorithm selection.
Metadata Profiles and Extensions
Profiles and extension mechanisms allow tailoring metadata for use cases like attribute queries, single logout, artifact resolution, and discovery services implemented by projects including SimpleSAMLphp, Shibboleth, PingFederate, and Keycloak. Extension namespaces accommodate proprietary features by vendors such as Microsoft, Oracle, IBM, Salesforce, AWS, and research networks like GÉANT and TERENA. Profiles include contact and organization modeling used by institutions like Harvard University, California Institute of Technology, and European Commission participants to convey administrative information.
Deployment and Usage Scenarios
Common deployment scenarios include bilateral exchanges between enterprises like Caterpillar and Siemens or large-scale federations such as InCommon and eduGAIN enabling inter-institutional access for members like Oxford University, Cambridge University, and ETH Zurich. Metadata distribution mechanisms include static files served over HTTPS, dynamic aggregation by federation operators, and push-based APIs implemented by platforms like Okta, OneLogin, Azure AD, and Google Cloud Identity. Use cases encompass single sign-on for web applications used by Salesforce, Workday, Box, and higher-education services such as library access and research portals.
Interoperability and Versioning
Interoperability relies on consistent interpretation of roles, bindings, and extensions across implementations including OpenSAML, Shibboleth, SimpleSAMLphp, PingFederate, AD FS, and vendor SDKs from Google, Microsoft, Amazon, and Oracle. Versioning issues arise when evolving schemas, changing signing algorithms, or introducing new profiles; governance by OASIS and coordination within federations like InCommon and eduGAIN help manage compatibility. Test suites and interoperability events organized by communities including Liberty Alliance Project and university consortia ensure practical cross-vendor behavior.
Category:Computer security standards