Versions Compared

Old Version 28

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 29

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Discovery Service Endpoints in SP Metadata

If your SP supports SAML V2.0, and the SP is configured to use the SAML V2.0 Identity Provider Discovery Protocol, you MUST configure your SP's metadata to include one or more <idpdisc:DiscoveryResponse> extension elements. (In practice, the actual number of such endpoints is implementation-dependent.) A discovery service will redirect the unauthenticated user back to the SP at the designated endpoint once the user has selected their preferred identity provider.

...

  • SPs MUST include an SSL/TLS-protected <md:AssertionConsumerService> endpoint that supports the SAML V2.0 HTTP-POST binding.
  • SPs SHOULD MAY include an SSL/TLS-protected <md:AssertionConsumerService> endpoint that supports the SAML V2.0 HTTP-Artifact binding.
  • SPs MAY include an SSL/TLS-protected <idpdisc:DiscoveryResponse> endpoint that supports the SAML V2.0 Identity Provider Discovery Protocol.

Support for SAML V2.0 Enhanced Client or Proxy is OPTIONAL:

  • SPs SHOULD include an <md:AssertionConsumerService> endpoint that supports the SAML V2.0 Reverse SOAP (PAOS) binding. This endpoint SHOULD be protected by SSL/TLS.
Code Block
titleSAML Endpoints in SP Metadata
<!-- SAML V2.0 -->
<md:AssertionConsumerService index="1" 
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
    Location="https://sp.example.org/sso/SAML2/POST"/>
<md:AssertionConsumerService index="2" 
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" 
    Location="https://sp.example.org/sso/SAML2/Artifact"/>

...