This document contains DRAFT material intended for discussion and comment by the InCommon participant community. Comments and questions should be sent to the InCommon participants mailing list.
This page gives guidance and recommendations regarding SAML endpoints in IdP metadata. Endpoints in Metadata are crucial to the overall security of SAML protocol exchanges.
Keep it simple!
Consider Endpoint Locations to be Permanent!
Choose your endpoint locations with care. Once published, any change to your endpoint locations in metadata will adversely affect interoperability.
SAML Endpoints in IdP Metadata
The most important endpoint in IdP metadata is the <md:SingleSignOnService>
endpoint. Every IdP MUST have at least one such endpoint in metadata. In general, an IdP includes an <md:SingleSignOnService>
endpoint for each combination of binding and protocol it wishes to support.
One Endpoint per Binding
There MUST NOT be two <md:SingleSignOnService>
elements with the same Binding
attribute value. At best, a software implementation chooses the first such endpoint it finds, so in that sense multiple endpoints with the same Binding
attribute is a deployment error.
In the InCommon Federation, every IdP that supports SP-initiated SAML V2.0 Web Browser SSO MUST include an SSL/TLS-protected <md:SingleSignOnService>
endpoint that supports the SAML V2.0 HTTP-Redirect binding. Likewise every IdP that supports the legacy Shibboleth profile of SAML V1.1 MUST include an SSL/TLS-protected <md:SingleSignOnService>
endpoint that supports the Shibboleth 1.x AuthnRequest
protocol.
The other common SAML V2.0 HTTP binding, HTTP-POST, SHOULD be supported for compatibility with a non-trivial number of commercial services.
An IdP that supports the SAML V2.0 Enhanced Client or Proxy (ECP) profile SHOULD include an additional <md:SingleSignOnService>
endpoint that supports the SAML V2.0 SOAP binding. Typically the IdP authenticates non-browser ECP clients using Basic Authentication
Single Logout Endpoints
A single topic covering Single Logout Endpoints in both IdP and SP metadata will be found elsewhere in this wiki.
An IdP that supports SAML V2.0 Artifact Resolution (or the SAML V1.1 Browser/Artifact profile) MUST include one or more <md:ArtifactResolutionService>
endpoints in metadata. Support for artifact resolution is OPTIONAL, however. While it is true that some SPs prefer inbound HTTP-Artifact to HTTP-POST, this is the exception rather than the rule.
An IdP that supports attribute query MUST have one or more <md:AttributeService>
endpoints in metadata. This is typically only a SAML V1.1 consideration, however. Generally an <md:AttributeService>
endpoint that supports the SAML V2.0 SOAP binding SHOULD NOT be included in IdP metadata to avoid unnecessary queries from SAML V2.0 SPs.
Attribute Query Endpoints
SAML V1.1 typically involves attribute query while SAML V2.0 typically does not. If your IdP is configured to always push attributes during SAML V2.0 Web Browser SSO, you can safely remove the SAML V2.0 <md:AttributeService>
endpoint. Failure to do so will cause redundant attribute queries to occur, and in some cases spurious errors at the SP have been reported. In any case, you will probably want to keep the SAML V1.1 <md:AttributeService>
endpoint.
Technical Details
Support for SAML V2.0 Web Browser SSO is STRONGLY RECOMMENDED:
- IdPs that participate in SP-initiated SAML V2.0 flows MUST include one and only one SSL/TLS-protected
<md:SingleSignOnService>
endpoint that supports the SAML V2.0 HTTP-Redirect binding. - IdPs MAY include an
<md:ArtifactResolutionService>
endpoint that supports the SAML V2.0 SOAP binding. This endpoint MUST be protected by SSL/TLS unless message-based signing is used. - IdPs SHOULD NOT include an
<md:AttributeService>
endpoint that supports the SAML V2.0 SOAP binding. If such an endpoint is supported, it MUST be protected by SSL/TLS unless message-based signing is used. - IdPs MUST support the
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
name identifier format and SHOULD support theurn:oasis:names:tc:SAML:2.0:nameid-format:persistent
name identifier format.
Support for SAML V2.0 Enhanced Client or Proxy is RECOMMENDED:
- IdPs SHOULD include an
<md:SingleSignOnService>
endpoint that supports the SAML V2.0 SOAP binding with either HTTP Basic Authentication or TLS Client Authentication. This endpoint MUST be protected by SSL/TLS.
Support for SAML V1.1 Web Browser SSO is OPTIONAL:
- IdPs that participate in SP-initiated SAML V1.1 flows MUST include one and only one SSL/TLS-protected
<md:SingleSignOnService>
endpoint that supports the Shibboleth 1.xAuthnRequest
protocol. - IdPs MAY include an
<md:ArtifactResolutionService>
endpoint that supports the SAML V1.1 SOAP binding and the SAML V1.1 Browser/Artifact profile. This endpoint MUST be protected by SSL/TLS unless message-based signing is used. - IdPs SHOULD include an
<md:AttributeService>
endpoint that supports the SAML V1.1 SOAP binding. This endpoint MUST be protected by SSL/TLS unless message-based signing is used. - IdPs MUST support the
urn:mace:shibboleth:1.0:nameIdentifier
transient name identifier format.
<!-- SAML V2.0 --> <md:SingleSignOnService xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.example.org/idp/profile/SAML2/Redirect/SSO"/> <md:SingleSignOnService xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.example.org/idp/profile/SAML2/SOAP/ECP"/> <md:ArtifactResolutionService index="1" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.example.org:8443/idp/profile/SAML2/SOAP/ArtifactResolution"/> <!-- SAML V1.1 --> <md:SingleSignOnService xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://idp.example.org/idp/profile/Shibboleth/SSO"/> <md:AttributeService xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.example.org:8443/idp/profile/SAML1/SOAP/AttributeQuery"/> <md:ArtifactResolutionService index="2" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.example.org:8443/idp/profile/SAML1/SOAP/ArtifactResolution"/>
Note that the browser-facing <md:SingleSignOnService>
endpoints run on the default SSL/TLS port (443) while the back-channel endpoints run on some non-standard port (such as 8443 in the examples above).