SAML V2.0 Metadata Extensions for Registration and Publication Information Version 1.0

Committee Specification Draft 02 /
Public Review Draft 02

10 January 2012

OASIS Security Services (SAML) TC


Thomas Hardjono (, M.I.T.
Nate Klingenstein (, Internet2


Chad La Joie (, Internet2

This specification defines extensions for use with:

Declared XML namespace:


This document defines a set of extensions to SAML metadata that provide information about the creation and intended usage of the metadata document and information about who and how particular entities were registered.


SAML V2.0 Metadata Extensions for Registration and Publication Information Version 1.0. 10 January 2012. OASIS Committee Specification Draft 02 / Public Review Draft 02.


Table of Contents

1 Introduction 5

1.1 Terminology and Notation 5

1.2 Normative References 5

2 Metadata Extensions for Registration and Publication Information 7

2.1 Registration Information 7

2.1.1 Element <mdrpi:RegistrationInfo> 7

2.1.2 Element <mdrpi:RegistrationPolicy> 8

2.2 Publication Information 8

2.2.1 Element <mdrpi:PublicationInfo> 8

2.2.2 Element <mdrpi:UsagePolicy> 9

2.3 Publication Path 9

2.3.1 Element <mdrpi:PublicationPath> 9

2.3.2 Element <mdrpi:Publication> 10

2.4 Example 10

3 Conformance 12

3.1 SAML V2.0 Metadata Extensions for Registration and Publication Information Version 1.0 12

Appendix A Acknowledgments 13

Appendix B Revision History 14

1 Introduction

SAML Metadata [SAML2Meta] provides a mechanism for describing the information necessary for various SAML actors to interact. However, it does not provide basic information which may facilitate the business processes surrounding the production, consumption or use of metadata. For example, when a metadata document was created, when an entity was first registered, etc.

The extensions defined in this document are informed by the common registration/publication model found in other network architectures (e.g., DNS, PKI). In this case the registrar is an organization that accepts metadata for a particular entity and vouches for some, or all, of the data contained therein. The publisher is responsible for making information collected from registrars or other publishers available, hopefully in a scalable manner, to interested consumers.

1.1 Terminology and Notation

The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this specification are to be interpreted as described in IETF RFC 2119 [RFC 2119].

Conventional XML namespace prefixes are used throughout the listings in this specification to stand for their respective namespaces as follows, whether or not a namespace declaration is present in the example:


XML Namespace




This is the SAML V2.0 assertion namespace defined in the SAML V2.0 core specification [SAML2Errata].



This is the SAML V2.0 metadata namespace defined in the SAML V2.0 metadata specification [SAML2Meta].



The namespace defined by this document.


This namespace is defined in the W3C XML Schema specification [Schema1]. In schema listings, this is the default namespace and no prefix is shown.


This is the XML Schema namespace for schema-related markup that appears in XML instances [Schema1].

This specification uses the following typographical conventions in text: <ns:Element>, Attribute, Datatype, OtherCode.

This specification uses the following typographical conventions in XML listings:

Listings of XML schemas appear like this.

Listings of XML examples appear like this. These listings are non-normative.

1.2 Normative References

[RFC 2119] S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. IETF RFC 2119, March 1997.

[SAML2Errata] OASIS Approved Errata, SAML V2.0 Errata, October 2009.

[SAML2Meta] OASIS Standard, Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0. March 2005. metadata-2.0-os.pdf.

[Schema1] H. S. Thompson et al. XML Schema Part 1: Structures. World Wide Web Consortium Recommendation, May 2001. See xmlschema-1-20010502/.

[Schema2] Paul V. Biron, Ashok Malhotra. XML Schema Part 2: Datatypes. World Wide Web Consortium Recommendation, May 2001. See xmlschema-2-20010502/.

2 Metadata Extensions for Registration and Publication Information

2.1 Registration Information

The registration information extension is used to provide information about the registrar of an entity. That is, the entity that took in SAML metadata, verified the metadata according to its registration policy, and made the information available to a wider audience. The entity registrar can be thought of as similar to a DNS registrar.

The <mdrpi:RegistrationInfo> container element, defined below, MUST appear within the <md:Extensions> element of <md:EntityDescriptor> or <md:EntitiesDescriptor> elements. The use of <mdrpi:RegistrationInfo>, or any other element defined in this section, outside of that context is not defined by this specification.

The <mdrpi:RegistrationInfo> element MUST NOT appear more than once within the <md:Extensions> element of a given <md:EntitiesDescriptor> or <md:EntityDescriptor> element.

When a <mdrpi:RegistrationInfo> element appears in the <md:Extensions> element of a <md:EntitiesDescriptor> element it applies to all descendant <md:EntitiesDescriptor> and <md:EntityDescriptor> elements. That is to say, this is equivalent to putting an identical <mdrpi:RegistrationInfo> on every descendant <md:EntityDescriptor>. When used in this manner, descendant <md:EntitiesDescriptor> and <md:EntityDescriptor> elements MUST NOT contain a <mdrpi:RegistrationInfo> element in their <md:Extensions> element.

2.1.1 Element <mdrpi:RegistrationInfo>

The <mdrpi:RegistrationInfo> contains information that describes the registrar of an entity.

registrationAuthority [Required]

The unique identifier of the authority that registered the entity. It is RECOMMENDED that this be a URL that resolves to a human readable page describing the registrar authority (e.g., the registrar's home page).

registrationInstant [Optional]

The instant the entity was registered with the authority. This attribute SHOULD be populated for all newly registered entities but is optional because the registration instant may not have been tracked by the registrar for existing entities.

Time values MUST be expressed in the UTC timezone using the 'Z' timezone identifier.

<mdrpi:RegistrationPolicy> [Optional]

The policy under which the entity was registered. The lack of this element indicates that the registrar has not disclosed its registration policy. It does not indicate that the registrar lacks a registration policy.

There MUST NOT be more than one <mdrpi:RegistrationPolicy>, within a given <mdrpi:RegistrationInfo>, for a given language.

<element name="RegistrationInfo" type="mdrpi:RegistrationInfoType" />

<complexType name="RegistrationInfoType">
<element ref="mdrpi:RegistrationPolicy" minOccurs=”0”

maxOccurs=”unbounded” />
<any namespace="##other" processContents="lax" minOccurs=”0”

maxOccurs=”unbounded” />
<attribute name="registrationAuthority" type="string" use="required" />
<attribute name="registrationInstant" type="dateTime" />
<anyAttribute namespace="##other" processContents="lax" />

2.1.2 Element <mdrpi:RegistrationPolicy>

The <mdrpi:RegistrationPolicy> element is a URL to a localized registration policy of the registrar. The URL MUST represent a single, immutable, policy document. Any changes made to an existing policy document MUST result in a new URL. The URL SHOULD resolve to a human readable form of the policy document for the entire period in which the policy may be in use.

<element name="RegistrationPolicy" type="md:localizedURIType" />

2.2 Publication Information

The publication information extension provides information that helps uniquely identify a specific publication of metadata and provide some information about its intended use. The ability to uniquely identify a particular publication can be very helpful in troubleshooting issues as well as facilitating the identification of the path a particular bit of metadata took before it arrived at a consumer (see section 2.3).

The <mdrpi:PublicationInfo> element, defined below, MUST appear within the <md:Extensions> element of either <md:EntitiesDescriptor> or <md:EntityDescriptor> elements. The use of <mdrpi:PublicationInfo>, or any other element defined in this section, outside of that context is not defined by this specification.

The <mdrpi:PublicationInfo> element SHOULD only be used on the root element of a metadata document.

The <mdrpi:PublicationInfo> element MUST NOT appear more than once within the <md:Extensions> element of a given <md:EntitiesDescriptor> or <md:EntityDescriptor> element.

2.2.1 Element <mdrpi:PublicationInfo>

The <mdrpi:PublicationInfo> element contains information which pertains to the publication of a metadata document. Within a given <mdrpi:PublicationInfo> either the creationInstant or publicationId element SHOULD be present.

publisher [Required]

A unique identifier for the publisher of the metadata. This may be the location from which the metadata was retrieved, an abstract identifier such as a SAML entity ID, or some other unique identifier for the publisher.

creationInstant [Optional]

The instant the metadata publication was created. Creation is loosely defined as the moment the metadata publication is ready for consumption by external processes. This may, for example, correspond to the time a document is signed.

Time values MUST be expressed in the UTC timezone using the 'Z' timezone identifier.

publicationId [Optional]

A unique, publisher-specific, identifier for this metadata publication. This identifier MAY change independently of the ID attribute found on <md:EntitiesDescriptor> and <md:EntityDescriptor> elements. For example, if a metadata document is auto-generated, the ID attribute might change upon each generation but the publicationId might only change if a particular set of data changes.

The publicationId MUST be considered an opaque string.

<mdrpi:UsagePolicy> [Optional]

A description of the intended usage for the metadata document. The lack of this element indicates that the publisher has not disclosed its usage policy. It does not indicate that the publisher lacks a usage policy.

There MUST NOT be more than one <mdrpi:UsagePolicy>, within a given <mdrpi:PublicationInfo>, for a given language.

<element name="PublicationInfo" type="mdrpi:PublicationInfoType" />
<complexType name="PublicationInfoType">
<element ref="mdrpi:UsagePolicy" minOccurs="0"

maxOccurs="unbounded" />
<any namespace="##other" processContents="lax" minOccurs=”0”

maxOccurs=”unbounded” />
<attribute name="publisher" type="string" use="required" />
<attribute name="creationInstant" type="dateTime" />
<attribute name="publicationId" type="string" />
<anyAttribute namespace="##other" processContents="lax" />

2.2.2 Element <mdrpi:UsagePolicy>

The <mdrpi:UsagePolicy> element is a URL to a localized description of the intended usage of this metadata publication. The URL MUST represent a single, immutable, policy document. Any changes made to an existing policy document MUST result in a new URL. The URL SHOULD resolve to a human readable form of the policy document for the entire period in which the policy may be in use.

<element name="UsagePolicy" type="md:localizedURIType" />

2.3 Publication Path

In some cases, a metadata document may be published by something other than the original registrar (e.g., a metadata lookup service or an aggregator that assembled a new document from a number of other documents). In such cases it can be helpful to know the path the <md:EntitiesDescriptor> or <md:EntityDescriptor> elements took before being included in the consumed document. The <mdrpi:PublicationPath>, defined below, provides a way of expressing this.

The <mdrpi:PublicationPath> element MUST appear within the <md:Extensions> element of either <md:EntitiesDescriptor> or <md:EntityDescriptor> elements. The use of <mdrpi:PublicationPath>, or any other element defined in this section, outside of that context is not defined by this specification.

The <mdrpi:PublicationPath> element MUST NOT appear more than once within the <md:Extensions> element of a given <md:EntitiesDescriptor> or <md:EntityDescriptor> element.

When a <mdrpi:PublicationPath> element appears in the <md:Extensions> element of a <md:EntitiesDescriptor> element it applies to all descendant <md:EntitiesDescriptor> and <md:EntityDescriptor> elements. That is to say, this is equivalent to putting an identical <mdrpi:PublicationPath> on every descendant <md:EntitiesDescriptor> and <md:EntityDescriptor>. When used in this manner, descendant <md:EntitiesDescriptor> and <md:EntityDescriptor> elements MUST NOT contain a <mdrpi:PublicationPath> element in their <md:Extensions> element.

2.3.1 Element <mdrpi:PublicationPath>

The <mdrpi:PublicationPath> element provides a record of the publication path, from current publication to initial publication, for the <md:EntitiesDescriptor> or <md:EntityDescriptor> element on which it resides.

Each contained <mdrpi:Publication> element represents one step in the publication path. The list of <mdrpi:Publication> elements is ordered from most recent, excluding the current publication, to least recent (the initial source publication).

For example, assume the current publication is PubC. Further assume that an <md:EntityDescriptor> in PubC was retrieved from PubB which itself received the <md:EntityDescriptor> from PubA. In such a situation the publication path for that entity descriptor would be PubB, PubA.

<mdrpi:Publication> [zero or more]

The publication from which the <md:EntityDescriptor> or <md:EntitiesDescriptor>, to which this extension is applied, was retrieved. The lack of this element indicates that the publisher has not disclosed the source from which it has acquired the containing <md:EntitiesDescriptor> or <md:EntityDescriptor>.

<element name="PublicationPath" type="mdrpi:PublicationPathType" />
<complexType name="PublicationPathType">
<element ref="mdrpi:Publication" minOccurs="0" maxOccurs="unbounded" />

2.3.2 Element <mdrpi:Publication>

The <mdrpi:Publication> element identifies a metadata publication that was incorporated, in full or in part, in to the metadata document containing this extension.

publisher [Required]

The publisher value of the <mdrpi:PublicationInfo> found on the root element of the document containing the republished <md:EntitiesDescriptor> or <md:EntityDescriptor> elements.

creationInstant [Optional]

The creationInstant value of the <mdrpi:PublicationInfo> found on the root element of the document containing the republished <md:EntitiesDescriptor> or <md:EntityDescriptor> elements.

publicationId [Optional]

The publicationId value of the <mdrpi:PublicationInfo> found on the root element of the document containing the republished <md:EntitiesDescriptor> or <md:EntityDescriptor> elements.

<element name="Publication" type="mdrpi:PublicationType" />
<complexType name="PublicationType">
<attribute name="publisherID" type="string" use="required" />
<attribute name="creationInstant" type="dateTime" />
<attribute name="publicationId" type="string" />

2.4 Example

<EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"



<mdrpi:PublicationInfo publisher=""

publicationId="1q2w3e4r" />


<!-- SWITCH IDP -->

<EntityDescriptor entityID="">





<mdrpi:RegistrationPolicy xml:lang="en">


<mdrpi:RegistrationPolicy xml:lang="de">




<mdrpi:Publication publisher=""











<!-- Ohio State IDP -->

<EntityDescriptor entityID="">




<mdrpi:RegistrationPolicy xml:lang="en">




<mdrpi:Publication publisher="urn:mace:incommon"












3 Conformance

3.1 SAML V2.0 Metadata Extensions for Registration and Publication Information Version 1.0

A metadata producer conforms to this profile if it has the ability to produce metadata in accordance with sections 2.1, 2.2 and 2.3.

