SAML Keys Format

MIKE LLOYD - QQ1 mike.lloyd at
Thu Feb 6 11:43:16 EST 2020

Sounds good, thanks Scott.


On Wed, Feb 5, 2020 at 5:10 PM Cantor, Scott <cantor.2 at> wrote:

> You will never see a (correct) instance of metadata or any other
> ds:X509Certificate element anywhere with the headers. The relevant standard
> is XML Signature, and the syntax of that element is a base64-encoded
> DER-encoded certificate. PEM is simply that format with the headers added.
> The XML Schema type of the element is called base64Binary. The headers are
> not valid base64 so they blatantly break the syntax and would choke any
> validating parser.
> > I noticed the metadata/idp-metadata.xml configuration file references
> There is no such configuration file. The IdP never uses its own metadata.
> That file is a dummy example file (really should never have been created,
> but it's historical) that's just a sample. It should never be used as
> anything but a starting point for creating the appropriate metadata to give
> to federations and the like.
> > I've seen ADFS SAML 2.0 references contain the certificate headers and
> footers
> I would be surprised, but given that ADFS can't even handle valid
> metadata, it would be fitting if it accepted something that's clearly
> invalid.
> > and I didn't see the OASIS SAML 2.0 specify whether the headers and
> footers were needed
> Because it's not a SAML element. It comes from XML Signature.
> -- Scott
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at


Mike Lloyd
Innovation Specialist, 18F,
g: mxplusb
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list