SAML 2.0 metadata for EHerkenning profile

SAML 2.0 metadata for EHerkenning profile

When the SAML 2.0 profile is set to EHerkenning in System Setup, SAML 2.0 metadata obeys to EHerkenning specification as follow:

1. There's an EntitiesDescriptor element that contains one or more EntityDescriptor elements.

2. The ID on the EntitiesDescriptor and the EntityDescriptor are static. We use the following convention to generate the IDs based on entity identifier:

   • EntitiesDescriptor: if the entity identifier is https://identify2.safewhere.local/runtime/, the EntitiesDescriptor.ID will be entitiesDescriptorId_https___identify_safewhere_local_runtime_
   • EntityDescriptor: if the entity identifier is https://identify2.safewhere.local/runtime/, the EntitiesDescriptor.ID will be entityDescriptorId_https___identify_safewhere_local_runtime_

3. The EntitiesDescriptor element has an additional namespace which is xmlns:eme="urn:etoegang:1.9:metadata-extension"

4. The EntityDescriptor element has a version attribute: eme:version="1.9"

5. The EntityDescriptor element contains a ContactPerson element inside it.

6. SAML 2.0 metadata for Service Providers:

   • It only publishes attributes which are listed at https://extranet.eherkenning.nl/1.9/attribuutcatalogus.xml
   • It only publishes one NameIDFormat whose value is urn:etoegang:1.9:EntityConcernedID:BSN.
   • It has no AttributeConsumingService element.

7. SAML 2.0 metadata for Identity Providers: contains two AssertionConsumerService elements for ARTIFACT binding as follow:

<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://identify.safewhere.local/runtime/saml2auth/artifact.idp" index="1" isDefault="false" />

<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://identify.safewhere.local/runtime/saml2auth/artifact.idp" index="2" isDefault="false" />
	

What are changes on service catalog's metadata

1. The ID on the ServiceCatalogue is static. Here is its value format:
   • ServiceCatalogue: https://identify2.safewhere.local/runtime/ => serviceCatalogId_https___identify2_safewhere_local_runtime_
2. On the SAML2.0 protocol connection, we have the new setting: PrivacyPolicyURL. When its value is not empty, it will be loaded at esc: PrivacyPolicyURL of the service on the service catalog.

Note: we also have some new added settings at the system setup page.

1. Use one metadata When it is set to true, exported SAML 2.0 metadata file contains both an IDPSSODescriptor and a SPSSODescriptor elements. Its default value is False

2. Custom NameId formats This setting allows you to customize what NameId Formats should be included in exported SAML 2.0 metadata.