...
Discovery Service Endpoints in SP Metadata
If your SP supports SAML V2.0, and the SP is configured to use the SAML V2.0 Identity Provider Discovery Protocol, you MUST configure your SP's metadata to include one or more <idpdisc:DiscoveryResponse>
extension elements. (In practice, the actual number of such endpoints is implementation-dependent.) A discovery service will redirect the unauthenticated user back to the SP at the designated endpoint once the user has selected their preferred identity provider.
...
- SPs MUST include an SSL/TLS-protected
<md:AssertionConsumerService>
endpoint that supports the SAML V2.0HTTP-POST
binding. - SPs SHOULD MAY include an SSL/TLS-protected
<md:AssertionConsumerService>
endpoint that supports the SAML V2.0HTTP-Artifact
binding. - SPs MAY include an SSL/TLS-protected
<idpdisc:DiscoveryResponse>
endpoint that supports the SAML V2.0 Identity Provider Discovery Protocol.
Support for SAML V2.0 Enhanced Client or Proxy is OPTIONAL:
- SPs SHOULD include an
<md:AssertionConsumerService>
endpoint that supports the SAML V2.0 Reverse SOAP (PAOS) binding. This endpoint SHOULD be protected by SSL/TLS.
Code Block | ||
---|---|---|
| ||
<!-- SAML V2.0 --> <md:AssertionConsumerService index="1" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp.example.org/sso/SAML2/POST"/> <md:AssertionConsumerService index="2" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://sp.example.org/sso/SAML2/Artifact"/> |
...