...
In a perfect world, all deployments would support browser-facing SAML V2.0, in which case SOAP-based attribute query and artifact resolution become mostly unnecessary. This would dramatically simplify the deployment of SAML in the Federation.
General Requirements
At the transport level, all protocol endpoints SHOULD be protected with SSL/TLS. In particular, browser-facing endpoints at the IdP MUST be protected with SSL/TLS to preserve the confidentiality of secrets and other sensitive information in transit.
At the message level, all entities SHOULD support SAML V2All new metadata registered by InCommon, both IdP and SP metadata, MUST support SAML V2.0 Web Browser SSO (whereas support for SAML V1.1 Web Browser SSO is OPTIONAL). In the InCommon Federation, IdPs are strongly encouraged to support SAML V2.0 Web Browser SSO so that SPs have choices with respect to protocol. IdPs that wish to interoperate with the widest range of service providers will support SAML V1.1 Web Browser SSO as well.
Finally, it is recommended that all endpoint locations include a hostname that is rooted in the primary DNS domain of the organization responsible for the entity. If submitted metadata does not meet this basic requirement, a manual vetting process will be triggered.
See the child pages for specific guidelines and recommendations regarding other profiles, bindings, and protocols. Specific requirements, recommendations, and guidelines are enumerated on the child pages to this wiki topic.