...
Tip |
---|
New IdPs SHOULD NOT advertise legacy SAML1 endpoints in IdP metadata. |
...
Support for SAML V1.1 Web Browser SSO is OPTIONAL:
- IdPs that support the legacy Shibboleth profile of SAML V1.1 MUST include one and only one TLS-protected
<md:SingleSignOnService>
endpoint that supports the Shibboleth 1.xAuthnRequest
protocol. - IdPs MAY include an
<md:ArtifactResolutionService>
endpoint that supports the SAML V1.1 SOAP binding and the SAML V1.1 Browser/Artifact profile. This endpoint MUST be protected by SSL/TLS unless message-based signing is used. - IdPs SHOULD include an
<md:AttributeService>
endpoint that supports the SAML V1.1 SOAP binding. This endpoint MUST be protected by SSL/TLS unless message-based signing is used. - IdPs MUST support the
urn:mace:shibboleth:1.0:nameIdentifier
transient name identifier format.
...
Note that the browser-facing <md:SingleSignOnService>
endpoint runs on the default TLS port (443) while the back-channel endpoints typically run on some non-standard port (such as 8443 in the examples above).