...
- Metadata Consumption
- refresh metadata daily
- verify the XML signature
- check the expiration date
- X.509 Certificates in Metadata
- use of self-signed certificates with 2048-bit keys
- no unexpired certificates in metadata
- controlled migration of keys
- User Interface Elements in IdP/SP Metadata
- Requested Attributes in SP Metadata
- In general, it is RECOMMENDED that all service endpoints be protected with SSL/TLS.
- SAML V2SAML V1.0 1 Support
- IdPs MUST include a an SSL/TLS-protected endpoint that supports the SAML V2.0 HTTP-Redirect bindingShibboleth 1.x AuthnRequest protocol
- IdPs MUST support the
urn:oasismace:names:tc:SAML:2shibboleth:1.0:nameid-format:nameIdentifier
transient name identifier formatSPs that support SAML V2.0 should indicate so in metadata (be specific) - SPs MUST include a an SSL/TLS-protected endpoint that supports the SAML V2.0 HTTP-POST binding
- SPs MUST include an encryption key
- SAML V1.1 Browser/POST profile
- SAML V2.0 Support
- IdPs MUST include a an SSL/TLS-protected endpoint that supports the Shibboleth 1.x AuthnRequest protocolSAML V2.0 HTTP-Redirect binding
- IdPs MUST support the
urn:oasis:names:macetc:shibbolethSAML:12.0:nameIdentifiernameid-format:transient
name identifier format - SPs that support SAML V2.0 should indicate so in metadata (be specific)
- SPs MUST include a an SSL/TLS-protected endpoint that supports the SAML V1.1 Browser/POST profileSAML V2.0 HTTP-POST binding
- SAML V2.0 SPs MUST include an encryption key
- SAML V2.0 Enhanced Client or Proxy (ECP) Support
- IdPs MUST include an endpoint that supports the SAML V2.0 SOAP binding
- does this endpoint need to be SSL/TLS-protected?
- SPs MUST include an endpoint that supports the SAML V2.0 Reverse SOAP (PAOS) binding
- does this endpoint need to be SSL/TLS-protected?
- IdPs MUST include an endpoint that supports the SAML V2.0 SOAP binding
...