SAML V2.0 Metadata Extensions for Registration and Publication Information Version 1.0
Committee Specification 01
03 April 2012
Specification URIs
This version:
http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/cs01/saml-metadata-rpi-v1.0-cs01.odt (Authoritative)
Previous version:
http://www.oasis-open.org/committees/download.php/43729/saml-metadata-rpi-v1.0-csprd01.zip
Latest version:
http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/saml-metadata-rpi-v1.0.odt (Authoritative)
http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/saml-metadata-rpi-v1.0.html
http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/saml-metadata-rpi-v1.0.pdf
Technical Committee:
OASIS Security Services (SAML) TC
Chairs:
Thomas Hardjono (hardjono@mit.edu), M.I.T.
Nate Klingenstein (ndk@internet2.edu), Internet2
Editor:
Chad La Joie (lajoie@itumi.biz), Internet2
Additional artifacts:
This prose specification is one component of a Work Product which also includes:
Related work:
This specification defines extensions for use with:
Declared XML namespace:
Abstract:
This document defines a set of extensions to SAML metadata that provide information about the creation and intended usage of the metadata document and information about who and how particular entities were registered.
Status:
This document was last revised or approved by the OASIS Security Services (SAML) TC on the above date. The level of approval is also listed above. Check the “Latest version” location noted above for possible later revisions of this document.
Technical Committee members should send comments on this Work Product to the Technical Committee’s email list. Others should send comments to the Technical Committee by using the “Send A Comment” button on the Technical Committee’s web page at http://www.oasis-open.org/committees/security/.
For information on whether any patents have been disclosed that may be essential to implementing this Work Product, and any offers of patent licensing terms, please refer to the Intellectual Property Rights section of the Technical Committee web page (http://www.oasis-open.org/committees/security/ipr.php).
Citation format:
When referencing this Work Product the following citation format should be used:
[SAML-Metadata-RPI-v1.0]
SAML V2.0 Metadata Extensions for Registration and Publication Information Version 1.0. 03 April 2012. OASIS Committee Specification 01. http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/cs01/saml-metadata-rpi-v1.0-cs01.html.
Notices
Copyright © OASIS Open 2012. All Rights Reserved.
All capitalized terms in the following text have the meanings assigned to them in the OASIS Intellectual Property Rights Policy (the "OASIS IPR Policy"). The full Policy may be found at the OASIS website.
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published, and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this section are included on all such copies and derivative works. However, this document itself may not be modified in any way, including by removing the copyright notice or references to OASIS, except as needed for the purpose of developing any document or deliverable produced by an OASIS Technical Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must be followed) or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.
This document and the information contained herein is provided on an "AS IS" basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
OASIS requests that any OASIS Party or any other party that believes it has patent claims that would necessarily be infringed by implementations of this OASIS Committee Specification or OASIS Standard, to notify OASIS TC Administrator and provide an indication of its willingness to grant patent licenses to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this specification.
OASIS invites any party to contact the OASIS TC Administrator if it is aware of a claim of ownership of any patent claims that would necessarily be infringed by implementations of this specification by a patent holder that is not willing to provide a license to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this specification. OASIS may include such claims on its website, but disclaims any obligation to do so.
OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS' procedures with respect to rights in any document or deliverable produced by an OASIS Technical Committee can be found on the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this OASIS Committee Specification or OASIS Standard, can be obtained from the OASIS TC Administrator. OASIS makes no representation that any information or list of intellectual property rights will at any time be complete, or that any claims in such list are, in fact, Essential Claims.
The name "OASIS" is a trademark of OASIS, the owner and developer of this specification, and should be used only to refer to the organization and its official outputs. OASIS welcomes reference to, and implementation and use of, specifications, while reserving the right to enforce its marks against misleading uses. Please see http://www.oasis-open.org/who/trademark.php for above guidance.
Table of Contents
2 Metadata Extensions for Registration and Publication Information
2.1.1 Element <mdrpi:RegistrationInfo>
2.1.2 Element <mdrpi:RegistrationPolicy>
2.2.1 Element <mdrpi:PublicationInfo>
2.2.2 Element <mdrpi:UsagePolicy>
2.3.1 Element <mdrpi:PublicationPath>
2.3.2 Element <mdrpi:Publication>
3.1 SAML V2.0 Metadata Extensions for Registration and Publication Information Version 1.0
SAML Metadata [SAML2Meta] provides a mechanism for describing the information necessary for various SAML actors to interact. However, it does not provide basic information which may facilitate the business processes surrounding the production, consumption or use of metadata. For example, when a metadata document was created, when an entity was first registered, etc.
The extensions defined in this document are informed by the common registration/publication model found in other network architectures (e.g., DNS, PKI). In this case the registrar is an organization that accepts metadata for a particular entity and vouches for some, or all, of the data contained therein. The publisher is responsible for making information collected from registrars or other publishers available, hopefully in a scalable manner, to interested consumers.
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this specification are to be interpreted as described in IETF RFC 2119 [RFC 2119].
Conventional XML namespace prefixes are used throughout the listings in this specification to stand for their respective namespaces as follows, whether or not a namespace declaration is present in the example:
Prefix |
XML Namespace |
Comments |
saml: |
urn:oasis:names:tc:SAML:2.0:assertion |
This is the SAML V2.0 assertion namespace defined in the SAML V2.0 core specification [SAML2Errata]. |
md: |
urn:oasis:names:tc:SAML:2.0:metadata |
This is the SAML V2.0 metadata namespace defined in the SAML V2.0 metadata specification [SAML2Meta]. |
mdrpi: |
urn:oasis:names:tc:SAML:metadata:rpi |
The namespace defined by this document. |
xsd: |
http://www.w3.org/2001/XMLSchema |
This namespace is defined in the W3C XML Schema specification [Schema1]. In schema listings, this is the default namespace and no prefix is shown. |
xsi: |
http://www.w3.org/2001/XMLSchema-instance |
This is the XML Schema namespace for schema-related markup that appears in XML instances [Schema1]. |
This specification uses the following typographical conventions in text: <ns:Element>, Attribute, Datatype, OtherCode.
This specification uses the following typographical conventions in XML listings:
Listings of XML schemas appear like this.
Listings of XML examples appear like this. These listings are non-normative.
[RFC 2119] S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. IETF RFC 2119, March 1997. http://www.ietf.org/rfc/rfc2119.txt.
[SAML2Errata] OASIS Approved Errata, SAML V2.0 Errata, October 2009. http://docs.oasis-open.org/security/saml/v2.0/sstc-saml-approved-errata-2.0.pdf.
[SAML2Meta] OASIS Standard, Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0. March 2005. http://docs.oasis-open.org/security/saml/v2.0/saml- metadata-2.0-os.pdf.
[Schema1] H. S. Thompson et al. XML Schema Part 1: Structures. World Wide Web Consortium Recommendation, May 2001. See http://www.w3.org/TR/2001/REC- xmlschema-1-20010502/.
[Schema2] Paul V. Biron, Ashok Malhotra. XML Schema Part 2: Datatypes. World Wide Web Consortium Recommendation, May 2001. See http://www.w3.org/TR/2001/REC- xmlschema-2-20010502/.
The registration information extension is used to provide information about the registrar of an entity. That is, the entity that took in SAML metadata, verified the metadata according to its registration policy, and made the information available to a wider audience. The entity registrar can be thought of as similar to a DNS registrar.
The <mdrpi:RegistrationInfo> container element, defined below, MUST appear within the <md:Extensions> element of <md:EntityDescriptor> or <md:EntitiesDescriptor> elements. The use of <mdrpi:RegistrationInfo>, or any other element defined in this section, outside of that context is not defined by this specification.
The <mdrpi:RegistrationInfo> element MUST NOT appear more than once within the <md:Extensions> element of a given <md:EntitiesDescriptor> or <md:EntityDescriptor> element.
When a <mdrpi:RegistrationInfo> element appears in the <md:Extensions> element of a <md:EntitiesDescriptor> element it applies to all descendant <md:EntitiesDescriptor> and <md:EntityDescriptor> elements. That is to say, this is equivalent to putting an identical <mdrpi:RegistrationInfo> on every descendant <md:EntityDescriptor>. When used in this manner, descendant <md:EntitiesDescriptor> and <md:EntityDescriptor> elements MUST NOT contain a <mdrpi:RegistrationInfo> element in their <md:Extensions> element.
The <mdrpi:RegistrationInfo> contains information that describes the registrar of an entity.
registrationAuthority [Required]
The unique identifier of the authority that registered the entity. It is RECOMMENDED that this be a URL that resolves to a human readable page describing the registrar authority (e.g., the registrar's home page).
registrationInstant [Optional]
The instant the entity was registered with the authority. This attribute SHOULD be populated for all newly registered entities but is optional because the registration instant may not have been tracked by the registrar for existing entities.
Time values MUST be expressed in the UTC timezone using the 'Z' timezone identifier.
<mdrpi:RegistrationPolicy> [Optional]
The policy under which the entity was registered. The lack of this element indicates that the registrar has not disclosed its registration policy. It does not indicate that the registrar lacks a registration policy.
There MUST NOT be more than one <mdrpi:RegistrationPolicy>, within a given <mdrpi:RegistrationInfo>, for a given language.
<element name="RegistrationInfo" type="mdrpi:RegistrationInfoType" />
<complexType
name="RegistrationInfoType">
<sequence>
<element ref="mdrpi:RegistrationPolicy" minOccurs=”0”
maxOccurs=”unbounded” />
<any namespace="##other" processContents="lax"
minOccurs=”0”
maxOccurs=”unbounded” />
</sequence>
<attribute name="registrationAuthority"
type="string" use="required" />
<attribute name="registrationInstant"
type="dateTime" />
<anyAttribute namespace="##other"
processContents="lax" />
</complexType>
The <mdrpi:RegistrationPolicy> element is a URL to a localized registration policy of the registrar. The URL MUST represent a single, immutable, policy document. Any changes made to an existing policy document MUST result in a new URL. The URL SHOULD resolve to a human readable form of the policy document for the entire period in which the policy may be in use.
<element name="RegistrationPolicy" type="md:localizedURIType" />
The publication information extension provides information that helps uniquely identify a specific publication of metadata and provide some information about its intended use. The ability to uniquely identify a particular publication can be very helpful in troubleshooting issues as well as facilitating the identification of the path a particular bit of metadata took before it arrived at a consumer (see section 2.3).
The <mdrpi:PublicationInfo> element, defined below, MUST appear within the <md:Extensions> element of either <md:EntitiesDescriptor> or <md:EntityDescriptor> elements. The use of <mdrpi:PublicationInfo>, or any other element defined in this section, outside of that context is not defined by this specification.
The <mdrpi:PublicationInfo> element SHOULD only be used on the root element of a metadata document.
The <mdrpi:PublicationInfo> element MUST NOT appear more than once within the <md:Extensions> element of a given <md:EntitiesDescriptor> or <md:EntityDescriptor> element.
The <mdrpi:PublicationInfo> element contains information which pertains to the publication of a metadata document. Within a given <mdrpi:PublicationInfo> either the creationInstant or publicationId element SHOULD be present.
publisher [Required]
A unique identifier for the publisher of the metadata. This may be the location from which the metadata was retrieved, an abstract identifier such as a SAML entity ID, or some other unique identifier for the publisher.
creationInstant [Optional]
The instant the metadata publication was created. Creation is loosely defined as the moment the metadata publication is ready for consumption by external processes. This may, for example, correspond to the time a document is signed.
Time values MUST be expressed in the UTC timezone using the 'Z' timezone identifier.
publicationId [Optional]
A unique, publisher-specific, identifier for this metadata publication. This identifier MAY change independently of the ID attribute found on <md:EntitiesDescriptor> and <md:EntityDescriptor> elements. For example, if a metadata document is auto-generated, the ID attribute might change upon each generation but the publicationId might only change if a particular set of data changes.
The publicationId MUST be considered an opaque string.
<mdrpi:UsagePolicy> [Optional]
A description of the intended usage for the metadata document. The lack of this element indicates that the publisher has not disclosed its usage policy. It does not indicate that the publisher lacks a usage policy.
There MUST NOT be more than one <mdrpi:UsagePolicy>, within a given <mdrpi:PublicationInfo>, for a given language.
<element
name="PublicationInfo" type="mdrpi:PublicationInfoType"
/>
<complexType name="PublicationInfoType">
<sequence>
<element ref="mdrpi:UsagePolicy" minOccurs="0"
maxOccurs="unbounded" />
<any namespace="##other" processContents="lax"
minOccurs=”0”
maxOccurs=”unbounded” />
</sequence>
<attribute name="publisher" type="string"
use="required" />
<attribute name="creationInstant" type="dateTime"
/>
<attribute name="publicationId" type="string" />
<anyAttribute namespace="##other" processContents="lax"
/>
</complexType>
The <mdrpi:UsagePolicy> element is a URL to a localized description of the intended usage of this metadata publication. The URL MUST represent a single, immutable, policy document. Any changes made to an existing policy document MUST result in a new URL. The URL SHOULD resolve to a human readable form of the policy document for the entire period in which the policy may be in use.
<element name="UsagePolicy" type="md:localizedURIType" />
In some cases, a metadata document may be published by something other than the original registrar (e.g., a metadata lookup service or an aggregator that assembled a new document from a number of other documents). In such cases it can be helpful to know the path the <md:EntitiesDescriptor> or <md:EntityDescriptor> elements took before being included in the consumed document. The <mdrpi:PublicationPath>, defined below, provides a way of expressing this.
The <mdrpi:PublicationPath> element MUST appear within the <md:Extensions> element of either <md:EntitiesDescriptor> or <md:EntityDescriptor> elements. The use of <mdrpi:PublicationPath>, or any other element defined in this section, outside of that context is not defined by this specification.
The <mdrpi:PublicationPath> element MUST NOT appear more than once within the <md:Extensions> element of a given <md:EntitiesDescriptor> or <md:EntityDescriptor> element.
When a <mdrpi:PublicationPath> element appears in the <md:Extensions> element of a <md:EntitiesDescriptor> element it applies to all descendant <md:EntitiesDescriptor> and <md:EntityDescriptor> elements. That is to say, this is equivalent to putting an identical <mdrpi:PublicationPath> on every descendant <md:EntitiesDescriptor> and <md:EntityDescriptor>. When used in this manner, descendant <md:EntitiesDescriptor> and <md:EntityDescriptor> elements MUST NOT contain a <mdrpi:PublicationPath> element in their <md:Extensions> element.
The <mdrpi:PublicationPath> element provides a record of the publication path, from current publication to initial publication, for the <md:EntitiesDescriptor> or <md:EntityDescriptor> element on which it resides.
Each contained <mdrpi:Publication> element represents one step in the publication path. The list of <mdrpi:Publication> elements is ordered from most recent, excluding the current publication, to least recent (the initial source publication).
For example, assume the current publication is PubC. Further assume that an <md:EntityDescriptor> in PubC was retrieved from PubB which itself received the <md:EntityDescriptor> from PubA. In such a situation the publication path for that entity descriptor would be PubB, PubA.
<mdrpi:Publication> [zero or more]
The publication from which the <md:EntityDescriptor> or <md:EntitiesDescriptor>, to which this extension is applied, was retrieved. The lack of this element indicates that the publisher has not disclosed the source from which it has acquired the containing <md:EntitiesDescriptor> or <md:EntityDescriptor>.
<element
name="PublicationPath" type="mdrpi:PublicationPathType"
/>
<complexType name="PublicationPathType">
<sequence>
<element ref="mdrpi:Publication" minOccurs="0"
maxOccurs="unbounded" />
</sequence>
</complexType>
The <mdrpi:Publication> element identifies a metadata publication that was incorporated, in full or in part, in to the metadata document containing this extension.
publisher [Required]
The publisher value of the <mdrpi:PublicationInfo> found on the root element of the document containing the republished <md:EntitiesDescriptor> or <md:EntityDescriptor> elements.
creationInstant [Optional]
The creationInstant value of the <mdrpi:PublicationInfo> found on the root element of the document containing the republished <md:EntitiesDescriptor> or <md:EntityDescriptor> elements.
publicationId [Optional]
The publicationId value of the <mdrpi:PublicationInfo> found on the root element of the document containing the republished <md:EntitiesDescriptor> or <md:EntityDescriptor> elements.
<element name="Publication"
type="mdrpi:PublicationType" />
<complexType name="PublicationType">
<attribute name="publisherID" type="string"
use="required" />
<attribute name="creationInstant" type="dateTime"
/>
<attribute name="publicationId" type="string" />
</complexType>
<EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi">
<Extensions>
<mdrpi:PublicationInfo publisher="urn:example.org:md:publisher"
publicationId="1q2w3e4r" />
</Extensions>
<!-- SWITCH IDP -->
<EntityDescriptor entityID="https://aai-logon.switch.ch/idp/shibboleth">
<Extensions>
<mdrpi:RegistrationInfo
registrationAuthority="urn:mace:switch.ch:SWITCHaai"
registrationInstant="2006-05-29T11:34:27Z">
<mdrpi:RegistrationPolicy xml:lang="en">
http://www.switch.ch/aai/metadata/en_registration.html
</mdrpi:RegistrationPolicy>
<mdrpi:RegistrationPolicy xml:lang="de">
http://www.switch.ch/aai/metadata/de_registration.html
</mdrpi:RegistrationPolicy>
</mdrpi:RegistrationInfo>
<mdrpi:PublicationPath>
<mdrpi:Publication publisher="urn:mace:switch.ch:SWITCHaai"
publicationId="k3klsoi"/>
</mdrpi:PublicationPath>
</Extensions>
<IDPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://aai-logon.switch.ch/idp/profile/SAML2/POST/SSO"/>
</IDPSSODescriptor>
</EntityDescriptor>
<!-- Ohio State IDP -->
<EntityDescriptor entityID="urn:mace:incommon:osu.edu">
<Extensions>
<mdrpi:RegistrationInfo
registrationAuthority="urn:mace:incommon">
<mdrpi:RegistrationPolicy xml:lang="en">
http://www.incommonfederation.org/metadata/en_registration.html
</mdrpi:RegistrationPolicy>
</mdrpi:RegistrationInfo>
<mdrpi:PublicationPath>
<mdrpi:Publication publisher="urn:mace:incommon"
publicationId="i2lkd9c"/>
</mdrpi:PublicationPath>
</Extensions>
<IDPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol">
<SingleSignOnService
Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
Location="https://idp.ohio-state.edu/idp/profile/Shibboleth/SSO"/>
</IDPSSODescriptor>
</EntityDescriptor>
</EntitiesDescriptor>
A metadata producer conforms to this profile if it has the ability to produce metadata in accordance with sections 2.1, 2.2 and 2.3.
The editors would like to acknowledge the contributions of the OASIS Security Services Technical Committee, whose voting members at the time of publication were:
• Scott Cantor, Internet2
• Thomas Hardjono, M.I.T.
• Frederick Hirsch, Nokia Corp.
• Phil Hunt, Oracle Corp.
• Ari Kermaier, Oracle Corp.
• Nathan Klingenstein, Internet2
• Chad La Joie, Internet2
• Hal Lockhart, Oracle Corp.
• Thinh Nguyenphu, Nokia Siemens Networks GmbH
• Rob Philpott, EMC Corp.
• Anil Saldhana, Red Hat
• David Staggs, Veterans Health Administration
• Emily Xu, Oracle Corp.
The editor would also like to acknowledge the following contributors:
• Ian Young, EDINA, University of Edinburgh
Changes made to produce WD09
• State what the lack of <RegistrationPolicy>, <UsagePolicy> and <PublicationPath> means
• Editorial and grammar fixups
Changes made to produce WD08
• Correct typos in schema snippets
• Correct publication path elements in example
Changes made to produce WD07
• Correct namespace URI on line 265
• Correct document title in Section 3.1 title
Changes made to produce WD06
• <RegistrationPolicy> and <UsagePolicy> text to disallow multiple instances with the same language
• Corrected example in 2.4 which contained a <RegistrationInfo> at the root level and child elements which was in violation of section 2.1
• Editorial and grammar fix ups
Changes made to produce WD05
• Corrected XML schema for optional elements that mistakenly did not have a minOccurs=”0”
Changes made to produce WD04
• Add list of voting members to Appendix A: Acknowledgements
Changes made to produce WD03
• Corrected references to CreationInstant and SerialNumber elements which were replaced with attributes on the PublicationInfo element
• Editorial and grammar fix ups
Changes made to produce WD02
• Title changed to "SAML V2.0 Metadata Extensions for Registration and Publication Information"
• Namespace changed to urn:oasis:names:tc:SAML:metadata:rpi
• Concept of "document information" changed to "publication information" with corresponding element name changes.
• Registration Information put before publication information
• Editorial and grammar fix ups