「[[マイクロソフト系技術情報 Wiki>http://techinfoofmicrosofttech.osscons.jp/]]」は、「[[Open棟梁Project>https://github.com/OpenTouryoProject/]]」,「[[OSSコンソーシアム .NET開発基盤部会>https://www.osscons.jp/dotNetDevelopmentInfrastructure/]]」によって運営されています。
-[[戻る>SAMLの仕様を読む。]]
* 目次 [#hdb24505]
#contents
*概要 [#v2b74a1f]
*詳細 [#z380f13f]
*例 [#v92b9691]
**Google [#l7748072]
IDPSSODescriptor
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://accounts.google.com/o/saml2" validUntil="2022-02-28T14:34:20.000Z">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>CERTIFICATE</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://accounts.google.com/o/saml2/idp"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://accounts.google.com/o/saml2/idp"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>
-G suiteのSAML認証の設定方法 – サポート~
SSO/IDaaSならトラスト・ログイン by GMO【旧SKUID(スクイド)】~
https://support.trustlogin.com/hc/ja/articles/115003760514-G-suite%E3%81%AESAML%E8%AA%8D%E8%A8%BC%E3%81%AE%E8%A8%AD%E5%AE%9A%E6%96%B9%E6%B3%95
**Azure [#p90e6f3c]
IDPSSODescriptor
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="_ceca4e9c-2656-40c1-8e83-cce46b99284a" entityID="https://sts.windows.net/6babcaad-604b-40ac-a9d7-9fd97c0b779f/">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>
...
</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>
...
</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.microsoftonline.com/6babcaad-604b-40ac-a9d7-9fd97c0b779f/saml2"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.microsoftonline.com/6babcaad-604b-40ac-a9d7-9fd97c0b779f/saml2"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.microsoftonline.com/6babcaad-604b-40ac-a9d7-9fd97c0b779f/saml2"/>
</IDPSSODescriptor>
</EntityDescriptor>
-https://docs.microsoft.com/ja-jp/azure/active-directory/develop/active-directory-saml-protocol-reference
-https://docs.microsoft.com/ja-jp/azure/active-directory/develop/azure-ad-federation-metadata
-https://login.microsoftonline.com/contoso.com/FederationMetadata/2007-06/FederationMetadata.xml
**ADFD [#wec052a4]
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="_5197a745-3513-4b82-a809-92269b4dbb18" entityID="http://fs.customer.com/adfs/services/trust">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="encryption">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>...</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>...</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://fs.customer.com/adfs/ls/"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://fs.customer.com/adfs/ls/"/>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://fs.customer.com/adfs/ls/"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://fs.customer.com/adfs/ls/"/>
</IDPSSODescriptor>
</EntityDescriptor>
-Starmind Docs - Single-Sign-On Metadata~
https://docs.starmind.com/authentication/sso/metadata/
**Cybozu [#cdd51854]
SPSSODescriptor
<md:EntityDescriptor entityID="https://(sub_domain).cybozu.com">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://(sub_domain).cybozu.com/saml/acs" index="0"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
-SAML認証ができるまで - Cybozu Inside Out | サイボウズエンジニアのブログ~
https://blog.cybozu.io/entry/4224
*参考 [#ta9f6981]
-SAML2.0サービスプロバイダーのメタデータ - Qiita~
https://qiita.com/oTsogbadrakhChinzorig/items/c5210e548b6ff02281d2
**oasis-open.org [#q644c0f3]
https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf
**Complete documentation and samples [#y5517ad2]
-SAML 2.0 saml-schema-metadata-2.0.xsd~
http://www.datypic.com/sc/saml2/s-saml-schema-metadata-2.0.xsd.html
--SAML 2.0 md:IDPSSODescriptor~
http://www.datypic.com/sc/saml2/e-md_IDPSSODescriptor.html
--SAML 2.0 md:SPSSODescriptor~
http://www.datypic.com/sc/saml2/e-md_SPSSODescriptor.html
**oasis-open.org [#q644c0f3]
https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf
1 Introduction
1.1 Notation
2 Metadata for SAML V2.0
2.1 Namespaces
2.2 Common Types
2.2.1 Simple Type entityIDType
2.2.2 Complex Type EndpointType
2.2.3 Complex Type IndexedEndpointType
2.2.4 Complex Type localizedNameType
2.2.5 Complex Type localizedURIType
2.3 Root Elements
2.3.1 Element <EntitiesDescriptor>
2.3.2 Element <EntityDescriptor>
2.3.2.1 Element <Organization>
2.3.2.2 Element <ContactPerson>
2.3.2.3 Element <AdditionalMetadataLocation>
2.4 Role Descriptor Elements
2.4.1 Element <RoleDescriptor>
2.4.1.1 Element <KeyDescriptor>
2.4.2 Complex Type SSODescriptorType
2.4.3 Element <IDPSSODescriptor>
2.4.4 Element <SPSSODescriptor>
2.4.4.1 Element <AttributeConsumingService>
2.4.4.2 Element <RequestedAttribute>
2.4.5 Element <AuthnAuthorityDescriptor>
2.4.6 Element <PDPDescriptor>
2.4.7 Element <AttributeAuthorityDescriptor>
2.5 Element <AffiliationDescriptor>
2.6 Examples
3 Signature Processing
3.1 XML Signature Profile
3.1.1 Signing Formats and Algorithms
3.1.2 References
3.1.3 Canonicalization Method
3.1.4 Transforms
3.1.5 KeyInfo
4 Metadata Publication and Resolution
4.1 Publication and Resolution via Well-Known Location
4.1.1 Publication
4.1.2 Resolution
4.2 Publishing and Resolution via DNS
4.2.1 Publication
4.2.1.1 First Well Known Rule
4.2.1.2 The Order Field
4.2.1.3 The Preference Field
4.2.1.4 The Flag Field
4.2.1.5 The Service Field
4.2.1.6 The Regex and Replacement Fields
4.2.2 NAPTR Examples
4.2.2.1 Entity Metadata NAPTR Examples
4.2.2.2 Name Identifier Examples
4.2.3 Resolution
4.2.3.1 Parsing the Unique Identifier
4.2.3.2 Obtaining Metadata via the DNS
4.2.4 Metadata Location Caching
4.3 Post-Processing of Metadata
4.3.1 Metadata Instance Caching
4.3.2 Handling of HTTPS Redirects
4.3.3 Processing of XML Signatures and General Trust Processing
4.3.3.1 Processing Signed DNS Zones
4.3.3.2 Processing Signed Documents and Fragments
4.3.3.3 Processing Server Authentication during Metadata Retrieval via TLS/SSL
5 References
Appendix A.Registration of MIME media type application/samlmetadata+xml
Appendix B. Acknowledgments
Appendix C. Notices
----
Tags: [[:IT国際標準]], [[:認証基盤]], [[:クレームベース認証]], [[:SAML]]
![[PukiWiki]](image/pukiwiki.png "[PukiWiki]")
