Shibboleth Service Provider (SP) Examples
The below are only examples and your code or approach may vary depending on your server and configuration. For assistance, please refer to the documentation or vendor of your web hosting software or operating system.
Select the code example that you wish to view:
This is a sample only.
Do not supply it as-is without review, and do not provide it in real time to your partners.
<!-- This is example metadata only. Do *NOT* supply it as is without review, and do *NOT* provide it in real time to your partners. --> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_704b290905168a2ef396515bbd747f8f708ae617" entityID="https://sp/shibboleth"> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#_704b290905168a2ef396515bbd747f8f708ae617"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>gtM96qHZFK5YHSlRy1ALfkcWluORgDWzTfPmoH/beJI=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>ZV1n2mnSWyWSqBgIjmBLwCQqUy+P8/qSL/YHytQdSV3Gg4Ob+204Gknd4sMBCQ5j ItW/XYWlOnPLJnCCL5by/7h88wyG1oDKJ338xoPN2PJHns+Nc9rM52fI0B+FV72k mengyGy2GOzHukLC42alN2r7Yi5+e4yHdZCrWL8ehYGwCA2M5oR1MYK5bZ9NDjb9 2sYOTunj8T+vwRRPMA/dVgHPbyxQjIoMS2kE5Ux9nmAT7FwbWPCtPjx5RW2JDBk1 uXbC+N+TL+zmp5dJMBIaNYI++0WJsgy2znLvZnmsgZxuswnK4oEpoJk52BCplXUx 67kJQm9pktIbuLuHsenSGmuQa34ov7c7Z//Tc6V93bNKuakvAwAKgi0eyKt+zfXe imRt0HMczkbOH5M1KvpG9zgRbFmlUfCi6WQBP94aVm6V9v7lYj40FhxZI1hKklF9 e919mKB3IIkqtjd+pMJQM6LkVvK8AmKTz7Dujm/JKut+ZXoVMsYHYItQURkTmML9</ds:SignatureValue> <ds:KeyInfo> <ds:KeyName>sp.testbed.local</ds:KeyName> <ds:X509Data> <ds:X509SubjectName>CN=sp.testbed.local</ds:X509SubjectName> <ds:X509Certificate>MIID9zCCAl+gAwIBAgIJAMGsmas5mr4mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV BAMTEHNwLnRlc3RiZWQubG9jYWwwHhcNMTkwNTA3MTg0MzE5WhcNMjkwNTA0MTg0 MzE5WjAbMRkwFwYDVQQDExBzcC50ZXN0YmVkLmxvY2FsMIIBojANBgkqhkiG9w0B AQEFAAOCAY8AMIIBigKCAYEAxnfXGPiZWLZv6gOj1xCVH2Bis/CtLVrlztDLeISQ 1HVZUtKbIJwLSRIt8P+gYGucjdPNnNo42JZ1j2HOHzlgMjx0zgSuR0OQjw/WNym3 kgfAlRKBhwgcnDuY48c5syNFpu4ZH376sEziIevtL2FdkiryCsNGT5ETyCA+dG4c TMhJwVq7FtLbYtzXqOvS7yooszYXO6oIOrc+gSCDz0kkGDHexx2fBJeDDpo9gPNd YrQ/FzMrVltgZ99rXM7LKAOKEtG5E56Aau/7ey6Nween+jBqXdsfPsUS4hGOQOC0 mX3CO90cAh7o2ybLzHmzS4+jG5pgOCzPk0yBeSqqb7KvN8Am4Xa4d3wG2rizAxnP MoUiVHukpl6wjs9E32fHWOvcfK6pl1DffSYzZ9P40Rn3KAyhsBAnkt7VxZR0W+Bf 1sTww2nWUHnmxSNu1Cku8qhp6S6AHq9hELUq3EfdON5le/DpZ6RWt1ukE0jNw4tc uuBEx/kTmdF8JochRjtStdCVAgMBAAGjPjA8MBsGA1UdEQQUMBKCEHNwLnRlc3Ri ZWQubG9jYWwwHQYDVR0OBBYEFN3EmV3JORDjW6XxwlgAAY7ruA5UMA0GCSqGSIb3 DQEBCwUAA4IBgQCuFJmf5gXBhEpEqliarPz9LeVeGwQtHp51pzLalLcqNEgTxvIC H7Xw2sgC9AFs0jjVL+YBOpFT/Fzug4g7GHqT9tgmFi7KR0cq58Q265WjGIXk3iGb Rxc8xqtH2NZ026uj9QEp9sQ4fJVAxE8qfEYOUOHPkzHozEySMUs5gWVSUKS/bqjP GMbIsBu9/DrkCj7TkrUpdGPZI76BtSUUF6Yn1ne7YH6SPB4vk+UDhaZSOsjsVG09 l9aC7dmF5518sNeAjPcKbdARIAO5fCTdH0435jNJwUObGx2HWYsYp4XlA6Ycv775 +dgkzroPc6TO1rYHKj1lF9eZs6gkYGr+1M1k7VyW9jdwOmVE9SCHun6t+GdCEIZh LCPp4U8C36II93y6IYDUkIKMzjeLZMHZvpswUzXK7/JUgDuZ3YGKA7zIT0rxSEZ/ YOdlVPNv3DF6isGsXugGVz8rULJ9xlxkvgjhKs1ZQvVe1jlkS9o9lGeKMXeSqUv8 Qa1VfyjCjlfwQXI= </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"> <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/> <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/> <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/> <alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <alg:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/> <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> </md:Extensions> <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:Extensions> <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://sp:8443/Shibboleth.sso/Login"/> <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://sp:8443/Shibboleth.sso/Login" index="1"/> </md:Extensions> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:KeyName>sp.testbed.local</ds:KeyName> <ds:X509Data> <ds:X509SubjectName>CN=sp.testbed.local</ds:X509SubjectName> <ds:X509Certificate>MIID9zCCAl+gAwIBAgIJAMGsmas5mr4mMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV BAMTEHNwLnRlc3RiZWQubG9jYWwwHhcNMTkwNTA3MTg0MzE5WhcNMjkwNTA0MTg0 MzE5WjAbMRkwFwYDVQQDExBzcC50ZXN0YmVkLmxvY2FsMIIBojANBgkqhkiG9w0B AQEFAAOCAY8AMIIBigKCAYEAxnfXGPiZWLZv6gOj1xCVH2Bis/CtLVrlztDLeISQ 1HVZUtKbIJwLSRIt8P+gYGucjdPNnNo42JZ1j2HOHzlgMjx0zgSuR0OQjw/WNym3 kgfAlRKBhwgcnDuY48c5syNFpu4ZH376sEziIevtL2FdkiryCsNGT5ETyCA+dG4c TMhJwVq7FtLbYtzXqOvS7yooszYXO6oIOrc+gSCDz0kkGDHexx2fBJeDDpo9gPNd YrQ/FzMrVltgZ99rXM7LKAOKEtG5E56Aau/7ey6Nween+jBqXdsfPsUS4hGOQOC0 mX3CO90cAh7o2ybLzHmzS4+jG5pgOCzPk0yBeSqqb7KvN8Am4Xa4d3wG2rizAxnP MoUiVHukpl6wjs9E32fHWOvcfK6pl1DffSYzZ9P40Rn3KAyhsBAnkt7VxZR0W+Bf 1sTww2nWUHnmxSNu1Cku8qhp6S6AHq9hELUq3EfdON5le/DpZ6RWt1ukE0jNw4tc uuBEx/kTmdF8JochRjtStdCVAgMBAAGjPjA8MBsGA1UdEQQUMBKCEHNwLnRlc3Ri ZWQubG9jYWwwHQYDVR0OBBYEFN3EmV3JORDjW6XxwlgAAY7ruA5UMA0GCSqGSIb3 DQEBCwUAA4IBgQCuFJmf5gXBhEpEqliarPz9LeVeGwQtHp51pzLalLcqNEgTxvIC H7Xw2sgC9AFs0jjVL+YBOpFT/Fzug4g7GHqT9tgmFi7KR0cq58Q265WjGIXk3iGb Rxc8xqtH2NZ026uj9QEp9sQ4fJVAxE8qfEYOUOHPkzHozEySMUs5gWVSUKS/bqjP GMbIsBu9/DrkCj7TkrUpdGPZI76BtSUUF6Yn1ne7YH6SPB4vk+UDhaZSOsjsVG09 l9aC7dmF5518sNeAjPcKbdARIAO5fCTdH0435jNJwUObGx2HWYsYp4XlA6Ycv775 +dgkzroPc6TO1rYHKj1lF9eZs6gkYGr+1M1k7VyW9jdwOmVE9SCHun6t+GdCEIZh LCPp4U8C36II93y6IYDUkIKMzjeLZMHZvpswUzXK7/JUgDuZ3YGKA7zIT0rxSEZ/ YOdlVPNv3DF6isGsXugGVz8rULJ9xlxkvgjhKs1ZQvVe1jlkS9o9lGeKMXeSqUv8 Qa1VfyjCjlfwQXI= </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:KeyName>sp.testbed.local</ds:KeyName> <ds:X509Data> <ds:X509SubjectName>CN=sp.testbed.local</ds:X509SubjectName> <ds:X509Certificate>MIID9zCCAl+gAwIBAgIJAJBhFGKTN2BDMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV BAMTEHNwLnRlc3RiZWQubG9jYWwwHhcNMTkwNTA3MTg0MzM3WhcNMjkwNTA0MTg0 MzM3WjAbMRkwFwYDVQQDExBzcC50ZXN0YmVkLmxvY2FsMIIBojANBgkqhkiG9w0B AQEFAAOCAY8AMIIBigKCAYEA2OrmrNNMFjNulgG7tP/Zjuz1bq4rvw9s4uqF37MK owISobL4MW4yyBCAHsulsaWgeubtbf/N9Sk/LvCDxt4iYW7B9euB6CoNKAhLowrl gps9OtNQQNqaDGnXr5mJEqRoBAHEem/swh27/ChnMDc5/O7Obwp3uKtBI7c++4ON BK4F+0olhQjtioWXge22EswcpabBeCPYWIDbQ8+pZHvSQxgRU2BGwNlmXYPIIyem Smz3u37MShtTtjX80iwHMYb3FZfLG6HcC9LltcYipB3juoVEa5uaYAX1qZ4EQxHo /M7Gk39TLOeryuugfvumLU6dpsnNEGCA0y5y9qPD0cqGeceSG6+MUSp1U6UzOiqD 9SR1Jw2uu1HLssqgLkaSDNAP7LfGcsjQ0Io7Dxi8jCLy0vlo+HAyuhFM4b/p6FBh 6LVG8sZ3dFx+LbnSIX5TT2JJrSYtNqkAUWaWLj7VIit0r2zjwttLmWT5z5DIrdTN ePz2zXAxE0N4sm7UzxalXNn/AgMBAAGjPjA8MBsGA1UdEQQUMBKCEHNwLnRlc3Ri ZWQubG9jYWwwHQYDVR0OBBYEFOZZlnocOTOAJXdU762a+4goVdZKMA0GCSqGSIb3 DQEBCwUAA4IBgQAApvDeRUsiHvQ/sSVMxKzg10KbedQtRkSmMU7qYJxTBf0kmvlh 3ICBfjw58tmRtPcf6A/K5DwqJKmcOksZiaR5KADerB14TX//1uTqmk7hUf9K7XD9 fFp37QXA7z9NR0Lp56ctK6mtQq0gYxZRAGK0NRaJbSIguOFD0Z4TpjxQx52Yt1Qx RMBysD/QiEz4KGcFjeIx5LV65lfJu7ngCKqzT9E/YYsei2FNrRG9auqqGuNmZdKn Zo8AD5Jw3Hw6z8s8xG59I4QseNC2eUMmJHI9MlCPj5nVyq0ilHH70mjdfycyfIoQ uo0d60HxE1Ur27SkRhPbK0bwf74fHz2hxj7QaiUBiRtrSZ40ylp9CbxrSxpFthVe sn7BM8IlJ5oSRYpiYPISfo9pUoUCSNwrRNQMMTI3B7jLbqosm1PDpS8uIKkKYFVf tTyJr0gN3BxgX8ZBRYaN92ChlB1Y6vz/xAkmy5N1/g7qBJHYTlrK4qoyZ5iaPm9f gONEZWSuXQiHIWA= </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/> <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/> <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/> <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/> <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/> <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> </md:KeyDescriptor> <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://sp:8443/Shibboleth.sso/Artifact/SOAP" index="1"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://sp:8443/Shibboleth.sso/SLO/SOAP"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sp:8443/Shibboleth.sso/SLO/Redirect"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp:8443/Shibboleth.sso/SLO/POST"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://sp:8443/Shibboleth.sso/SLO/Artifact"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp:8443/Shibboleth.sso/SAML2/POST" index="1"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://sp:8443/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://sp:8443/Shibboleth.sso/SAML2/Artifact" index="3"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://sp:8443/Shibboleth.sso/SAML2/ECP" index="4"/> <md:AttributeConsumingService index="1"> <md:ServiceName xml:lang="en">Sample Service</md:ServiceName> <md:ServiceDescription xml:lang="en">An example service that requires a human-readable identifier and optional name and e-mail address.</md:ServiceDescription> <md:RequestedAttribute FriendlyName="eduPersonPrincipalName" Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"/> <md:RequestedAttribute FriendlyName="mail" Name="urn:mace:dir:attribute-def:mail" NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"/> <md:RequestedAttribute FriendlyName="displayName" Name="urn:mace:dir:attribute-def:displayName" NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"/> </md:AttributeConsumingService> </md:SPSSODescriptor> <md:Organization> <md:OrganizationName xml:lang="en">My Organization Name</md:OrganizationName> <md:OrganizationDisplayName xml:lang="en">My Organization Display Name</md:OrganizationDisplayName> <md:OrganizationURL xml:lang="en">https://www.utexas.edu</md:OrganizationURL> </md:Organization> <md:ContactPerson contactType="technical"> <md:GivenName>Technical Team</md:GivenName> <md:EmailAddress>technical@example.org</md:EmailAddress> </md:ContactPerson> <md:ContactPerson contactType="administrative"> <md:GivenName>Same as Technical Team</md:GivenName> <md:EmailAddress>technical@example.org</md:EmailAddress> </md:ContactPerson> <md:ContactPerson contactType="support"> <md:GivenName>Support Team</md:GivenName> <md:EmailAddress>support@example.org</md:EmailAddress> </md:ContactPerson> <md:ContactPerson contactType="other" xmlns:remd="http://refeds.org/metadata" remd:contactType="http://refeds.org/metadata/contactType/security"> <md:GivenName>Security Team</md:GivenName> <md:EmailAddress>technical@example.org</md:EmailAddress> </md:ContactPerson> </md:EntityDescriptor>
The below examples demonstrate how to protect URLs using the Shibboleth Service Provider software running on Apache HTTPD Server. See https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig for information about configuring the Shibboleth Service Provider software on Apache HTTPD.
The below are only examples and your code or approach may vary depending on your service provider, server, and configuration. For assistance, please refer to the documentation or vendor of your chosen service provider software.
This example demonstrates requiring authentication for a resource:
<Location /secure> AuthType shibboleth ShibRequestSetting requireSession 1 require shib-session </Location>
These examples demonstrate the use of a multi-value attribute for authorization:
<Location /onlystaff> AuthType shibboleth ShibRequestSetting requireSession 1 require shib-attr unscoped-affiliation staff </Location> <Location /onlystudents> AuthType shibboleth ShibRequestSetting requireSession 1 require shib-attr unscoped-affiliation student </Location>
This example demonstrates the use of a single-value attribute for authorization:
<Location /onlystaffprimary> AuthType shibboleth ShibRequestSetting requireSession 1 require shib-attr primary-affiliation staff </Location>
This example demonstrates the requesting of a different authentication context:
<Location /secure-duo> AuthType shibboleth ShibRequestSetting requireSession 1 ShibRequestSetting entityID https://enterprise.login.utexas.edu/idp/shibboleth ShibRequestSetting authnContextClassRef https://idm.utsystem.edu/authncontext/twofactorbasic require valid-user </Location>
This example demonstrates removing the authentication requirement for the specified directory, overriding its inherited permissions.
<Location /secure/butnotreally> AuthType None Require all granted </Location>
The following code will add contacts in order to help comply with our metadata requirements:
1. Add the xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" and xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" namespaces to your <SPConfig> opening tag in shibboleth2.xml, similar to the example below:
<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" clockSkew="180">
2. Add the following to the MetadataGenerator <Handler>. Be sure to provide your department’s contact info:
<Handler type="MetadataGenerator" Location="/Metadata" signing="true"> <md:Organization> <md:OrganizationName xml:lang="en">My Organization Name</md:OrganizationName> <md:OrganizationDisplayName xml:lang="en">My Organization Display Name</md:OrganizationDisplayName> <md:OrganizationURL xml:lang="en">https://www.utexas.edu</md:OrganizationURL> </md:Organization> <md:ContactPerson contactType="technical"> <md:GivenName>Technical Team</md:GivenName> <md:EmailAddress>technical@example.org</md:EmailAddress> </md:ContactPerson> <md:ContactPerson contactType="administrative"> <md:GivenName>Same as Technical Team</md:GivenName> <md:EmailAddress>technical@example.org</md:EmailAddress> </md:ContactPerson> <md:ContactPerson contactType="support"> <md:GivenName>Support Team</md:GivenName> <md:EmailAddress>support@example.org</md:EmailAddress> </md:ContactPerson> <md:ContactPerson xmlns:remd="http://refeds.org/metadata" contactType="other" remd:contactType="http://refeds.org/metadata/contactType/security"> <md:GivenName>Security Team</md:GivenName> <md:EmailAddress>technical@example.org</md:EmailAddress> </md:ContactPerson> <md:AttributeConsumingService index="1"> <md:ServiceName xml:lang="en">Sample Service</md:ServiceName> <md:ServiceDescription xml:lang="en">An example service that requires a human-readable identifier and optional name and e-mail address.</md:ServiceDescription> <md:RequestedAttribute FriendlyName="eduPersonPrincipalName" Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"/> <md:RequestedAttribute FriendlyName="mail" Name="urn:mace:dir:attribute-def:mail" NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"/> <md:RequestedAttribute FriendlyName="displayName" Name="urn:mace:dir:attribute-def:displayName" NameFormat="urn:mace:shibboleth:1.0:attributeNamespace:uri"/> </md:AttributeConsumingService> </Handler>