IDP meta说明文档.docxVIP

MetadataForIdP元数据话题涵盖了任何实体的基本结构。这里主要说的是IDP部分的。关于怎么创建IDP的元数据。参考SP的构建-here.Shibboleth特别提示如果是第一次开始, IDP在安装过程中生成一个初始的元数据文件，并被拷贝到metadata/idp-metadata.xml. 他包含entityID和安装过程中生成的密钥。你需要需要进行配置的时候，对他进行修改就可以了。基本结构IdP 元数据包含在md:IDPSSODescriptor和md:AttributeAuthorityDescriptor中。你必须要包括正确的支持协议类型（protocolSupportEnumeration）来反映出IDP支持的协议族, 真如meta中提到的一样。如果没能这么做，可能会导致SP不能正确识别IDP。使用md:AttributeAuthorityDescriptor角色主要是兼容性的要求。用来支持遗留的或者其他的依赖于属性的SP。在多数情况下，多数的角色内容在二者之间是一致的。IDP角色通常包括下面描述性信息:IDp用来认证和加密的公钥。各种中来交互的终端明确支持的标示符格式 if any明确支持的属性, if any所有信息出现的顺序是有意义的, 你可以参考schema。大多数情况下，元素按照下面顺序出现。对于md:IDPSSODescriptor来说:md:KeyDescriptor (can be omitted, but rarely)md:ArtifactResolutionService (only needed if supporting response by artifact)md:SingleLogoutService (if any)md:NameIDFormat (if any)md:SingleSignOnService (always at least one)saml:Attribute (rare today, but may be reasonable to include)对于md:AttributeAuthorityDescriptor来说:md:KeyDescriptor (can be omitted, but rarely)md:AttributeService (always at least one)md:NameIDFormat (if any)saml:Attribute (rare today, but may be reasonable to include)密钥参考MetadataKeyDescriptor.Shibboleth-Specific TipThe keys you identify in the metadata MUST match the keys you configure into the IdP as [credentials]. If they dont match, SPs will generally be unable to accept assertions from or make queries to the IdP.Artifact ResolutionSAML包含这样一种能力：通过依赖重定向包含一个简单的字符串成为“artifact”来使得consuming 网站可以拉取完整的信息。他更多的用于IdP-SP 方向,所以，IDP需要支持，有些IDP可能需要支持SOAP终端来实现对artifact-message 的支持.Shibboleth-特别提示The Location attribute of these endpoints is derived from the ProfileHandler elements defined in the IdPs handler.xml file. As with all IdP profile handlers that rely on SOAP, the locations will typically be of the form https://hostname:8443 + servlet context + /profile + path, where path is determined from the RequestPath child element in the profile handler configuration. The elements must also include a Binding attribute, which can be copied directly from the profile handlers inboundBin