Versions Compared

Old Version 3

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 4

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Tip
New IdPs SHOULD NOT advertise legacy SAML1 endpoints in IdP metadata.

...

Support for SAML V1.1 Web Browser SSO is OPTIONAL:

  • IdPs that support the legacy Shibboleth profile of SAML V1.1 MUST include one and only one TLS-protected <md:SingleSignOnService> endpoint that supports the Shibboleth 1.x AuthnRequest protocol.
  • IdPs MAY include an <md:ArtifactResolutionService> endpoint that supports the SAML V1.1 SOAP binding and the SAML V1.1 Browser/Artifact profile. This endpoint MUST be protected by SSL/TLS unless message-based signing is used.
  • IdPs SHOULD include an <md:AttributeService> endpoint that supports the SAML V1.1 SOAP binding. This endpoint MUST be protected by SSL/TLS unless message-based signing is used.
  • IdPs MUST support the urn:mace:shibboleth:1.0:nameIdentifier transient name identifier format.

...

Note that the browser-facing <md:SingleSignOnService> endpoint runs on the default TLS port (443) while the back-channel endpoints typically run on some non-standard port (such as 8443 in the examples above).