SAML · Schema
SAML 2.0 EntityDescriptor Metadata
Schema describing the JSON representation of a SAML 2.0 EntityDescriptor metadata element as defined in the OASIS SAML 2.0 Metadata specification (saml-metadata-2.0-os). Describes the entity's identity, supported roles, endpoints, and cryptographic keys.
AuthenticationAuthorizationFederationIdentity ManagementOpen StandardSecuritySingle Sign-OnSSOXML
Properties
| Name | Type | Description |
|---|---|---|
| entityID | string | The unique identifier for the SAML entity. MUST be a URI of no more than 1024 characters. |
| validUntil | string | The expiration time of the metadata. After this time, the metadata SHOULD be considered invalid. |
| cacheDuration | string | The maximum time the metadata consumer should cache the metadata, expressed as an XML duration (e.g., PT24H for 24 hours). |
| ID | string | An optional document-unique identifier for the element, used for XML signature references. |
| IDPSSODescriptor | object | |
| SPSSODescriptor | object | |
| Organization | object | |
| ContactPerson | array | Contact information for the entity. |
JSON Schema
{
"$id": "saml-entity-descriptor.json",
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "SAML 2.0 EntityDescriptor Metadata",
"description": "Schema describing the JSON representation of a SAML 2.0 EntityDescriptor metadata element as defined in the OASIS SAML 2.0 Metadata specification (saml-metadata-2.0-os). Describes the entity's identity, supported roles, endpoints, and cryptographic keys.",
"type": "object",
"required": [
"entityID"
],
"properties": {
"entityID": {
"type": "string",
"format": "uri",
"description": "The unique identifier for the SAML entity. MUST be a URI of no more than 1024 characters.",
"maxLength": 1024
},
"validUntil": {
"type": "string",
"format": "date-time",
"description": "The expiration time of the metadata. After this time, the metadata SHOULD be considered invalid."
},
"cacheDuration": {
"type": "string",
"description": "The maximum time the metadata consumer should cache the metadata, expressed as an XML duration (e.g., PT24H for 24 hours).",
"pattern": "^P(\\d+Y)?(\\d+M)?(\\d+D)?(T(\\d+H)?(\\d+M)?(\\d+(\\.\\d+)?S)?)?$"
},
"ID": {
"type": "string",
"description": "An optional document-unique identifier for the element, used for XML signature references."
},
"IDPSSODescriptor": {
"$ref": "#/$defs/IDPSSODescriptor"
},
"SPSSODescriptor": {
"$ref": "#/$defs/SPSSODescriptor"
},
"Organization": {
"$ref": "#/$defs/Organization"
},
"ContactPerson": {
"type": "array",
"description": "Contact information for the entity.",
"items": {
"$ref": "#/$defs/ContactPerson"
}
}
},
"additionalProperties": true,
"$defs": {
"IDPSSODescriptor": {
"type": "object",
"title": "IDPSSODescriptor",
"description": "Describes the SSO capabilities and endpoints of an Identity Provider as defined in SAML 2.0 Metadata Section 2.4.3.",
"required": [
"protocolSupportEnumeration",
"SingleSignOnService"
],
"properties": {
"protocolSupportEnumeration": {
"type": "array",
"description": "The SAML protocol URIs supported by this role.",
"items": {
"type": "string",
"format": "uri"
},
"examples": [
["urn:oasis:names:tc:SAML:2.0:protocol"]
]
},
"WantAuthnRequestsSigned": {
"type": "boolean",
"description": "Indicates whether the Identity Provider requires that AuthnRequest messages be signed.",
"default": false
},
"SingleSignOnService": {
"type": "array",
"description": "The SSO endpoints supported by the Identity Provider.",
"items": {
"$ref": "#/$defs/Endpoint"
}
},
"SingleLogoutService": {
"type": "array",
"description": "The Single Logout endpoints supported by the Identity Provider.",
"items": {
"$ref": "#/$defs/Endpoint"
}
},
"NameIDFormat": {
"type": "array",
"description": "The NameID formats supported by the Identity Provider.",
"items": {
"type": "string",
"format": "uri"
},
"examples": [
[
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
"urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
]
]
},
"KeyDescriptor": {
"type": "array",
"description": "Cryptographic keys used for signing and encryption.",
"items": {
"$ref": "#/$defs/KeyDescriptor"
}
}
},
"additionalProperties": true
},
"SPSSODescriptor": {
"type": "object",
"title": "SPSSODescriptor",
"description": "Describes the SSO capabilities and endpoints of a Service Provider as defined in SAML 2.0 Metadata Section 2.4.4.",
"required": [
"protocolSupportEnumeration",
"AssertionConsumerService"
],
"properties": {
"protocolSupportEnumeration": {
"type": "array",
"description": "The SAML protocol URIs supported by this role.",
"items": {
"type": "string",
"format": "uri"
}
},
"AuthnRequestsSigned": {
"type": "boolean",
"description": "Indicates whether AuthnRequest messages sent by this Service Provider are signed.",
"default": false
},
"WantAssertionsSigned": {
"type": "boolean",
"description": "Indicates whether the Service Provider requires that assertions be signed.",
"default": false
},
"AssertionConsumerService": {
"type": "array",
"description": "The Assertion Consumer Service endpoints where the IdP should send SAML Responses.",
"items": {
"$ref": "#/$defs/IndexedEndpoint"
}
},
"SingleLogoutService": {
"type": "array",
"description": "The Single Logout endpoints supported by the Service Provider.",
"items": {
"$ref": "#/$defs/Endpoint"
}
},
"NameIDFormat": {
"type": "array",
"description": "The NameID formats supported by the Service Provider.",
"items": {
"type": "string",
"format": "uri"
}
},
"KeyDescriptor": {
"type": "array",
"description": "Cryptographic keys used for signing and encryption.",
"items": {
"$ref": "#/$defs/KeyDescriptor"
}
}
},
"additionalProperties": true
},
"Endpoint": {
"type": "object",
"title": "Endpoint",
"description": "A SAML protocol endpoint with a binding and location.",
"required": [
"Binding",
"Location"
],
"properties": {
"Binding": {
"type": "string",
"format": "uri",
"description": "The SAML binding URI for this endpoint.",
"examples": [
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
]
},
"Location": {
"type": "string",
"format": "uri",
"description": "The URI where messages should be sent."
},
"ResponseLocation": {
"type": "string",
"format": "uri",
"description": "An optional URI where response messages should be sent, if different from Location."
}
},
"additionalProperties": true
},
"IndexedEndpoint": {
"type": "object",
"title": "IndexedEndpoint",
"description": "An endpoint with an index and optional default designation, used for ACS endpoints.",
"required": [
"Binding",
"Location",
"index"
],
"properties": {
"Binding": {
"type": "string",
"format": "uri",
"description": "The SAML binding URI for this endpoint."
},
"Location": {
"type": "string",
"format": "uri",
"description": "The URI where messages should be sent."
},
"index": {
"type": "integer",
"description": "A non-negative integer index for this endpoint.",
"minimum": 0
},
"isDefault": {
"type": "boolean",
"description": "Indicates whether this is the default endpoint when no index is specified."
}
},
"additionalProperties": true
},
"KeyDescriptor": {
"type": "object",
"title": "KeyDescriptor",
"description": "Describes a cryptographic key used for signing or encryption.",
"properties": {
"use": {
"type": "string",
"description": "The purpose of the key: signing or encryption.",
"enum": [
"signing",
"encryption"
]
},
"KeyInfo": {
"type": "object",
"description": "The key information containing the X.509 certificate or other key material.",
"properties": {
"X509Data": {
"type": "object",
"properties": {
"X509Certificate": {
"type": "string",
"description": "The base64-encoded X.509 certificate."
}
}
}
}
}
},
"additionalProperties": true
},
"Organization": {
"type": "object",
"title": "Organization",
"description": "Information about the organization responsible for the SAML entity.",
"properties": {
"OrganizationName": {
"type": "string",
"description": "The human-readable name of the organization."
},
"OrganizationDisplayName": {
"type": "string",
"description": "The display name of the organization for user interfaces."
},
"OrganizationURL": {
"type": "string",
"format": "uri",
"description": "A URL for more information about the organization."
}
},
"additionalProperties": true
},
"ContactPerson": {
"type": "object",
"title": "ContactPerson",
"description": "Contact information for a person associated with the SAML entity.",
"required": [
"contactType"
],
"properties": {
"contactType": {
"type": "string",
"description": "The type of contact.",
"enum": [
"technical",
"support",
"administrative",
"billing",
"other"
]
},
"GivenName": {
"type": "string",
"description": "The given name of the contact person."
},
"SurName": {
"type": "string",
"description": "The surname of the contact person."
},
"EmailAddress": {
"type": "string",
"format": "email",
"description": "The email address of the contact person."
}
},
"additionalProperties": true
}
}
}