I have been trying to implement Shibboleth as IDP and my Java webapp as SP but I am having troubles understanding how metadata works. I know it's a way SP knows about IDP and vice-versa. I also know it has keys and all but I can not connect the dots.
Please provide some short explanation about how metadata is configured and what it's core elements are?
SAML metadata is organized around an extensible collection of roles representing common combinations of SAML protocols basically SAML profiles require agreements between system entities regarding identifiers, binding support and endpoints, certificates and keys, and so forth. A metadata specification is useful for describing this information in a standardized way. This specification defines an extensible metadata format for SAML system entities, organized by roles that reflect SAML profiles. Such roles include that of SSO Identity Provider, SSO Service Provider, Affiliation, Attribute Authority, Attribute Requester, and Policy Decision Point.
You can refer this pdf link saml-metadata-2.0 which gives you more and descriptive information about SAML metadata.
You need to go step by step.
Below is the diagram - how shibboleth works (very high level!).
Here, shibboleth SP and Shibboleth IdP are two softwares you need to download and install from shibboleth website and SP application and IdP application are two things you need to develop.
I suggest you first develop SP. Use this and this to do so. Then you develop IdP.
Coming to metadata.
The main configuration SP and IdP needs is metadata. shibboleth2.xml is the file where you do this. SAML needs data where to redirect and where to get assertion from and what is encryption. But Shibboleth has made this easy. everything is taken care by shibboleth you just need to provide path where metadata is located.
What we do is configuration - in shibboleth2.xml (I am telling in context of SP but understand same for both- SP and IdP).
Elements of configuration
RequestMapper - Our host to secureApplicationDefaults - just change entityId here, change it to anything.MetadataProvider - give IdP's entity Id and metadata url.This is basic configuration needs to be done on SP side.
Metadata can be generated by shibboleth system using above configuration and can be downloaded from https://mywebsitehost.com/Shibboleth.sso/Metadata , same is for IdP. SP and IdP can connect and get information by entityId.
