...
Policy: All domains in IdP endpoint locations SHOULD be owned controlled by the organization associated with the IdP. This policy is self-enforced by the IdP owner.
...
| title | Domain Ownership |
|---|
...
owner
...
.
The remainder of this document outlines the advantages of owning controlling the domains in IdP endpoint locations.
As a hypothetical example, IdP metadata submitted by the owner an organization in control of the example.edu domain might contain the following elements:
...
| Note | ||
|---|---|---|
| ||
| It is strongly RECOMMENDED that all domains in IdP endpoint locations be owned controlled by the organization associated with the IdP. Such an endpoint is much more likely to be stable. This is important since changing an endpoint location can affect both interoperability and end-user trust. |
Since a browser-facing SSO endpoint location appears in the browser address bar, it contributes to the login interface by definition. A trusted login interface will incorporate design elements that are easily recognized by the user. An SSO endpoint location is one of those elements, so choose your endpoint locations with care. Most importantly, choose a domain that the user recognizes. Most often this will be the primary domain owned controlled by the organization (such as example.edu above) or a subdomain rooted in the primary domain.
...
| Tip | ||
|---|---|---|
| ||
| The best way to avoid having to change your endpoint locations is to own control the domains on the endpoint locations in metadata. |