Editing SAML2 Metadata
About
This provides a brief overview of how to edit SAML2 Metadata.
NIEF Trust Fabric Registry
The soon to be released NIEF Trust Fabric Registry will include many features the reduce the need for people to have to edit SAML2 Metadata on their own.
Editor
It is generally a very good idea to have an XML aware editor when you are editing XML. It does not need to be so smart that it includes built-in schema validation (although this can be useful), but at a minimum you want syntax coloring, basic XML format checking, and what not. A couple of popular and free choices:
* Notepad++ - Generally light weight. It is a very useful editor to have handy on any machine you use. * Eclipse - Eclipse is a major IDE and typically you would only install it on a development machine. * If you are doing lots of XML work, you way want a tool that is designed specifically for XML such as XMLSpy.
Namespaces
The primary namespaces used within SAML2 Metadata are:
- urn:oasis:names:tc:SAML:2.0:metadata - (abbreviated md) Always required
- http://www.w3.org/2000/09/xmldsig# - (abbreviated ds) Always required
- urn:oasis:names:tc:SAML:metadata:attribute - (abbreviated mdattr) Used when SAML attributes are included.
- urn:oasis:names:tc:SAML:2.0:assertion - (abbreviated saml) Used when SAML attributes about entities are included and when available SAML Attributes are published for Identity Providers.
The following are additional namespaces you may encounter but are only for very special use cases:
- xmlns:gfipmws="http://gfipm.net/standards/metadata/2.1/webservices"' - For GFIPM Web Services.
- xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" - For WS Federation (very commonly included in ADFS generated SAML2 Metadata)
It is recommended by GFIPM that all namespaces be declared with a prefix to make the XML more explicit instead of using default namespaces.
Samples
Defaulting the md namespace, declaring the ds namespace at the entity descriptor:
<?xml version="1.0" encoding="UTF-8"?> <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> ... <ds:KeyInfo> ... </ds:KeyInfo ... </EntityDescriptor>
Defaulting the md namespace, declaring the ds namespace when it is used:
<?xml version="1.0" encoding="UTF-8"?> <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> ... <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> ... </ds:KeyInfo ... </EntityDescriptor>
Defaulting all namespaces:
<?xml version="1.0" encoding="UTF-8"?> <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> ... <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> ... </KeyInfo ... </EntityDescriptor>
Recommended way with explicit namespaces and declared in the opening tag:
<?xml version="1.0" encoding="UTF-8"?> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> ... <ds:KeyInfo> ... </ds:KeyInfo ... </md:EntityDescriptor>
