diff --git a/shibauth/Dockerfile b/shibauth/Dockerfile
index a1c6d7660c43fa132b1d1e4a457b240f091ce835..986fbddc6607750b7f4195b87fe7d1e051e5a531 100644
--- a/shibauth/Dockerfile
+++ b/shibauth/Dockerfile
@@ -35,5 +35,6 @@ LABEL name="prism view server cache" \
version="0.0.1"
COPY shibboleth-conf /etc/shibboleth/
+COPY etc-httpd/ /etc/httpd/
COPY index.html /var/www/html/
-COPY conf.d /etc/httpd/etc-httpd/
+
diff --git a/shibauth/conf.d/sp.conf b/shibauth/etc-httpd/conf.d/shib.conf
similarity index 81%
rename from shibauth/conf.d/sp.conf
rename to shibauth/etc-httpd/conf.d/shib.conf
index 091f85e98444da0aca5748330850e23e63682676..58a46d86d5c0dda6b69fa18cce2039f4b11eb3f6 100644
--- a/shibauth/conf.d/sp.conf
+++ b/shibauth/etc-httpd/conf.d/shib.conf
@@ -1,7 +1,7 @@
-ServerName idptestbed
+ServerName shib-testing
<VirtualHost *:80>
- ServerName https://idptestbed:443
+ ServerName http://shib.pdas.prism.eox.at
UseCanonicalName On
DocumentRoot "/var/www/html"
diff --git a/shibauth/shibboleth-conf/idp-metadata.xml b/shibauth/shibboleth-conf/idp-metadata.xml
index caa418c08b8b70ae781f3fc5d1fbe57c338afdc0..6a91356ad9b7f986b977165b68049843fa4912d7 100644
--- a/shibauth/shibboleth-conf/idp-metadata.xml
+++ b/shibauth/shibboleth-conf/idp-metadata.xml
@@ -1,18 +1,8 @@
<!-- The entity describing the SAMLtest IdP, named by the entityID below -->
-
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="SAMLtestIdP" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" entityID="https://samltest.id/saml/idp">
-
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">
-
<Extensions>
-<!-- An enumeration of the domains this IdP is able to assert scoped attributes, which are
-typically those with a @ delimiter, like mail. Most IdP's serve only a single domain. It's crucial
-for the SP to check received attribute values match permitted domains to prevent a recognized IdP from
-sending attribute values for which a different recognized IdP is authoritative. -->
<shibmd:Scope regexp="false">samltest.id</shibmd:Scope>
-
-<!-- Display information about this IdP that can be used by SP's and discovery
-services to identify the IdP meaningfully for end users -->
<mdui:UIInfo>
<mdui:DisplayName xml:lang="en">SAMLtest IdP</mdui:DisplayName>
<mdui:Description xml:lang="en">A free and basic IdP for testing SAML deployments</mdui:Description>
@@ -44,7 +34,6 @@ voQR2qr2xJBixsg+MIORKtmKHLfU
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
-
</KeyDescriptor>
<KeyDescriptor use="signing">
<ds:KeyInfo>
@@ -70,7 +59,6 @@ ZOpx4swtgGdeoSpeRyrtMvRwdcciNBp9UZome44qZAYH1iqrpmmjsfI9pJItsgWu
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
-
</KeyDescriptor>
<KeyDescriptor use="encryption">
<ds:KeyInfo>
@@ -96,27 +84,15 @@ zBDsMIEzRtQZm4GIoHJae4zmnCekkQ==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
-
</KeyDescriptor>
-
-<!-- An endpoint for artifact resolution. Please see Wikipedia for more details about SAML
- artifacts and when you may find them useful. -->
-
<ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://samltest.id/idp/profile/SAML2/SOAP/ArtifactResolution" index="1" />
-
-<!-- A set of endpoints where the IdP can receive logout messages. These must match the public
-facing addresses if this IdP is hosted behind a reverse proxy. -->
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://samltest.id/idp/profile/SAML2/Redirect/SLO"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://samltest.id/idp/profile/SAML2/POST/SLO"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://samltest.id/idp/profile/SAML2/POST-SimpleSign/SLO"/>
-
-<!-- A set of endpoints the SP can send AuthnRequests to in order to trigger user authentication. -->
<SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://samltest.id/idp/profile/Shibboleth/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://samltest.id/idp/profile/SAML2/POST/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://samltest.id/idp/profile/SAML2/POST-SimpleSign/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://samltest.id/idp/profile/SAML2/Redirect/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://samltest.id/idp/profile/SAML2/SOAP/ECP"/>
-
</IDPSSODescriptor>
-
</EntityDescriptor>
\ No newline at end of file
diff --git a/shibauth/shibboleth-conf/shibboleth2.xml b/shibauth/shibboleth-conf/shibboleth2.xml
index f890b39c7d687137579b48702a88dfd059c8eb6c..2769ec5fee1dad6a16e5eb616c7ff28a52bed445 100644
--- a/shibauth/shibboleth-conf/shibboleth2.xml
+++ b/shibauth/shibboleth-conf/shibboleth2.xml
@@ -4,122 +4,28 @@
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
-
- <!--
- By default, in-memory StorageService, ReplayCache, ArtifactMap, and SessionCache
- are used. See example-shibboleth2.xml for samples of explicitly configuring them.
- -->
-
- <!--
- To customize behavior for specific resources on Apache, and to link vhosts or
- resources to ApplicationOverride settings below, use web server options/commands.
- See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationElements for help.
-
- For examples with the RequestMap XML syntax instead, see the example-shibboleth2.xml
- file, and the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPRequestMapHowTo topic.
- -->
-
- <!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
- <ApplicationDefaults entityID="https://sp.idptestbed/shibboleth"
+ <ApplicationDefaults entityID="https://pass.copernicus.eu"
REMOTE_USER="eppn uid persistent-id targeted-id">
-
- <!--
- Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
- You MUST supply an effectively unique handlerURL value for each of your applications.
- The value defaults to /Shibboleth.sso, and should be a relative path, with the SP computing
- a relative value based on the virtual host. Using handlerSSL="true", the default, will force
- the protocol to be https. You should also set cookieProps to "https" for SSL-only sites.
- Note that while we default checkAddress to "false", this has a negative impact on the
- security of your site. Stealing sessions via cookie theft is much easier with this disabled.
- -->
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="true" cookieProps="https">
-
- <!--
- Configures SSO for a default IdP. To allow for >1 IdP, remove
- entityID property and adjust discoveryURL to point to discovery service.
- (Set discoveryProtocol to "WAYF" for legacy Shibboleth WAYF support.)
- You can also override entityID on /Login query string, or in RequestMap/htaccess.
- -->
<SSO entityID="https://idptestbed/idp/shibboleth">
SAML2 SAML1
</SSO>
-
- <!-- SAML and local-only logout. -->
<Logout>SAML2 Local</Logout>
-
- <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
-
- <!-- Status reporting service. -->
- <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
-
- <!-- Session diagnostic service. -->
+ <Handler type="Status" Location="/Status" acl="10.0.0.0/24 127.0.0.1 ::1"/>
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
-
- <!-- JSON feed of discovery information. -->
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
-
- <!--
- Allows overriding of error template information/filenames. You can
- also add attributes with values that can be plugged into the templates.
- -->
- <Errors supportContact="admin@idptestbed"
- helpLocation="/about.html"
- styleSheet="/shibboleth-sp/main.css"/>
-
- <!-- Example of remotely supplied batch of signed metadata. -->
- <!--
- <MetadataProvider type="XML" validate="true"
- url="http://federation.org/federation-metadata.xml"
- backingFilePath="federation-metadata.xml" reloadInterval="7200">
- <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
- <MetadataFilter type="Signature" certificate="fedsigner.pem"/>
- <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
- attributeName="http://macedir.org/entity-category"
- attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
- attributeValue="http://refeds.org/category/hide-from-discovery" />
- </MetadataProvider>
- -->
-
- <!-- Example of locally maintained metadata. -->
- <!--
- <MetadataProvider type="XML" validate="true" path="partner-metadata.xml"/>
- -->
-
+ <Errors supportContact="admin@eox.at"
+ helpLocation="/about.html"/>
<MetadataProvider type="XML" validate="true" path="idp-metadata.xml"/>
-
- <!-- Map to extract attributes from SAML assertions. -->
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
-
- <!-- Use a SAML query if no attributes are supplied during SSO. -->
<AttributeResolver type="Query" subjectMatch="true"/>
-
- <!-- Default filtering policy for recognized attributes, lets other data pass. -->
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
-
- <!-- Simple file-based resolver for using a single keypair. -->
- <CredentialResolver type="File" key="sp-signing-key-test.pem" certificate="sp-encrypt-cert-test.pem"/>
-
- <!--
- The default settings can be overridden by creating ApplicationOverride elements (see
- the https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApplicationOverride topic).
- Resource requests are mapped by web server commands, or the RequestMapper, to an
- applicationId setting.
-
- Example of a second application (for a second vhost) that has a different entityID.
- Resources on the vhost would map to an applicationId of "admin":
- -->
- <!--
- <ApplicationOverride id="admin" entityID="https://admin.example.org/shibboleth"/>
- -->
+ <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
</ApplicationDefaults>
-
- <!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
-
- <!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
\ No newline at end of file
diff --git a/shibauth/shibboleth-conf/sp-metadata.xml b/shibauth/shibboleth-conf/sp-metadata.xml
new file mode 100644
index 0000000000000000000000000000000000000000..bfa4da8068e5e5f6d1eef4e83d96fa6ba9abefe4
--- /dev/null
+++ b/shibauth/shibboleth-conf/sp-metadata.xml
@@ -0,0 +1,141 @@
+<EntityDescriptor entityID="https://pass.copernicus.eu/shibboleth" validUntil="2040-01-01T00:00:00Z"
+ xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
+ xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+ xmlns:shibmd="urn:mace:shibboleth:metadata:1.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+ <SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+
+ <KeyDescriptor>
+ <ds:KeyInfo>
+ <ds:X509Data>
+ <ds:X509Certificate>
+MIIHijCCBnKgAwIBAgIQPWbuJob/1pRBDBHQrAelKDANBgkqhkiG9w0BAQsFADB4
+MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcGA1UECxMg
+U3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJjAkBgNVBAMTHVN0YXJ0
+Q29tIENsYXNzIDMgT1YgU2VydmVyIENBMB4XDTE2MDUzMDIwMjAwNFoXDTE5MDUz
+MDIwMjAwNFowZDELMAkGA1UEBhMCQVQxDTALBgNVBAgMBFdpZW4xDTALBgNVBAcM
+BFdpZW4xHTAbBgNVBAoMFEVPWCBJVCBTZXJ2aWNlcyBHbWJIMRgwFgYDVQQDDA9l
+c2EubWFwcy5lb3guYXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCX
+GBReYwFVvkSrourZRd4zBBlo9apZHXxt+kk4bNbk1n70YNeFUaxJpwFQqkfwghrg
+9tctD2B9HLDZl+LMnO6IXAzXkn8OHzt9vf4lVLDYOSHcC/oAt4aQjr98Anl1q822
+/FJ6csFtFAmEIg8P6NHByHlwaSM1yxcrc7ZgR+xph0/sQijh4jxOlcNfCGRy0VBt
+lJE0rLSAmIN/LUX/hf1P4psbPlXNLl1U3Du6sh+pkgWV5gsKJBxAYJvptlahn9Ud
+b6FBFngM/Z9rk/M4R692z5WWLwfxFScEw3/FfF9aH5ztCAM1u3L5QjqANcdbVl86
+x2kUXZh9A7EjUhnI25xu4aEVJBHTcq46rZQw88lW/+Xxavon03dHuaHhrZXMF5mD
+rIGvumSlB1XzCz2lOQG4zrUnXtKw6rm7fr20Zn5KQEgiUD+d2Hs8lvkWmP0qKiP+
+EWdJrAfprv85tKqQMxldnrOK9FwH9TQh4TmhYlp+6vvsfZMZB4uDMlvKBtlI+7Yh
+O61HKIDSsEqq6tdy312ENOjZVZsPsNkZCdOm6irTTymB9Id1LJ+3jv+lakPzluW/
+rTeq2S0UMMvByRsTGiI3ettxgOwo/jWAJiMTWb26ldpxHqyvOIX7b40Wvk+KRx9T
+Vgx4kkuS5ycNi0YgUBs98imh8GXvBEufvpZCtcd5OQIDAQABo4IDIjCCAx4wDgYD
+VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAJBgNV
+HRMEAjAAMB0GA1UdDgQWBBRX3j8T9Ti5uurAxnFHSb/P6Q4Z9jAfBgNVHSMEGDAW
+gBSxPxySe5KwWiWzOPucB6QmUDLjUTBvBggrBgEFBQcBAQRjMGEwJAYIKwYBBQUH
+MAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5BggrBgEFBQcwAoYtaHR0cDov
+L2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLnNlcnZlcjMuY3J0MDgGA1UdHwQx
+MC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1zZXJ2ZXIzLmNy
+bDB4BgNVHREEcTBvgg9lc2EubWFwcy5lb3guYXSCFXRpbGVzLmVzYS5tYXBzLmVv
+eC5hdIIXKi50aWxlcy5lc2EubWFwcy5lb3guYXSCE29zbS5lc2EubWFwcy5lb3gu
+YXSCF3N0YWdpbmcuZXNhLm1hcHMuZW94LmF0MCMGA1UdEgQcMBqGGGh0dHA6Ly93
+d3cuc3RhcnRzc2wuY29tLzBRBgNVHSAESjBIMAgGBmeBDAECAjA8BgsrBgEEAYG1
+NwECBTAtMCsGCCsGAQUFBwIBFh9odHRwczovL3d3dy5zdGFydHNzbC5jb20vcG9s
+aWN5MIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHYAaPaY+B9kgr46jO65KB1M/HFR
+XWeT1ETRCmesu09P+8QAAAFVA3EKawAABAMARzBFAiAQMFKOGTFIZzbVuZ8R2C+u
+4QgL0vnSOBT3ylGgjAf+AQIhAOHkMTkhr0APu8jaCkos4c9k8vrn5DWq0k8WXT12
+ip4fAHUA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFVA3EMcwAA
+BAMARjBEAiASftiRTzUpe+IDonZidGHzHKlKwPZoaOE2zqsH1AW9jgIgM7Jmphm1
+rGkakcVooaUudEfCTN/fTJ7cs3kPiljWmkgwDQYJKoZIhvcNAQELBQADggEBAIp2
+QqqJ6+TRRr7cBeiMw+4MrQhbaf+Y0bAsPOF9KOnQ9JMavEki08JRLYLVSraqDW1+
+mrlk+mbvh9mEFkTIvwW5wt/S5tgbRE/fmDBTElRwLPVlvbwRNKNg/54lXhwgETM8
+oTOfxC+dK7bg+EFj3r71d7wf/qhPCBYmN9yk2z4tby1nYI6c+8xXVxnrKGIOOb/X
+MAB1eHNvjMHHmhlSV33Z6nqrTzeUEDS5R6X1v3lCtP/058o6NDdLmJ/hTy/So5eB
+8NwcilckyoYeI64QXg61KmH+9+scQ2bddWtuDJvnNo0NH1XPOuxl9HpaxBSzIflK
+2Wfpr7x/2VCKeO7Mfpo=
+ </ds:X509Certificate>
+ </ds:X509Data>
+ </ds:KeyInfo>
+ </KeyDescriptor>
+
+ <!-- This tells IdPs that Single Logout is supported and where/how to request it. -->
+ <SingleLogoutService
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+ Location="https://esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
+ xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+ <SingleLogoutService
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+ Location="https://tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
+ xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+ <SingleLogoutService
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+ Location="https://a.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
+ xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+ <SingleLogoutService
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+ Location="https://b.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
+ xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+ <SingleLogoutService
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+ Location="https://c.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
+ xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+ <SingleLogoutService
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+ Location="https://d.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
+ xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+ <SingleLogoutService
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+ Location="https://e.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
+ xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+ <SingleLogoutService
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+ Location="https://f.tiles.esa.maps.eox.at/Shibboleth.sso/SLO/Redirect"
+ xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+
+ <!--
+ This tells IdPs where and how to push assertions through the browser. Mostly
+ the SP will tell the IdP what location to use in its request, but this
+ is how the IdP validates the location and also figures out which
+ SAML version/binding to use.
+ -->
+ <AssertionConsumerService
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+ Location="https://esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
+ index="1" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+ <AssertionConsumerService
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+ Location="https://tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
+ index="2" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+ <AssertionConsumerService
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+ Location="https://a.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
+ index="3" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+ <AssertionConsumerService
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+ Location="https://b.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
+ index="4" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+ <AssertionConsumerService
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+ Location="https://c.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
+ index="5" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+ <AssertionConsumerService
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+ Location="https://d.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
+ index="6" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+ <AssertionConsumerService
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+ Location="https://e.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
+ index="7" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+ <AssertionConsumerService
+ Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+ Location="https://f.tiles.esa.maps.eox.at/Shibboleth.sso/SAML2/Artifact"
+ index="8" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"/>
+
+ <!-- This tells IdPs that you only need transient identifiers. -->
+ <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
+
+ </SPSSODescriptor>
+
+ <Organization>
+ <OrganizationName xml:lang="en">eox</OrganizationName>
+ <OrganizationDisplayName xml:lang="en">EOX IT Services GmbH</OrganizationDisplayName>
+ <OrganizationURL xml:lang="en">http://eox.at</OrganizationURL>
+ </Organization>
+</EntityDescriptor>