The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 25 Next »

This document contains DRAFT material intended for discussion and comment by the InCommon participant community.  Comments and questions should be sent to the InCommon participants mailing list.

Endpoints in SP Metadata

This page gives guidance and recommendations regarding SAML endpoints in SP metadata. Endpoints in Metadata are crucial to the overall security of SAML protocol exchanges.

SAML Endpoints in SP Metadata

The most important endpoint in SP metadata is the <md:AssertionConsumerService> endpoint. Every SP MUST have at least one such endpoint in metadata.

In the InCommon Federation, every SP that supports SAML V2.0 Web Browser SSO MUST include an <md:AssertionConsumerService> endpoint that supports the SAML V2.0 HTTP-POST binding. Occasionally an IdP will respond with an artifact, and therefore an SP SHOULD also include an <md:AssertionConsumerService> endpoint that supports the SAML V2.0 HTTP-Artifact binding. Other bindings (such as the HTTP-POST-SimpleSign binding) MAY be supported.

IMPORTANT! SPs that issue SAML V2.0 authentication requests MUST ensure that their metadata includes one or more SAML V2.0 endpoints for receiving responses. An encryption key MUST also be included in metadata. Failure to do so will result in runtime failures for users.

An SP that supports the SAML V2.0 Enhanced Client or Proxy (ECP) profile SHOULD include an additional <md:AssertionConsumerService> endpoint that supports the SAML V2.0 Reverse SOAP (PAOS) binding. (Today's non-browser clients don't typically rely on this endpoint information, however.) There is at most one such endpoint in SP metadata.

Single Logout Endpoints

A single topic covering Single Logout Endpoints in both IdP and SP metadata will be found elsewhere in this wiki.

Under normal circumstances, an SP does not include an <md:ArtifactResolutionService> endpoint that supports incoming requests for artifact resolution. In the InCommon Federation, the use of artifacts for this purpose is NOT RECOMMENDED.

Discovery Service Endpoints in SP Metadata

If your SP supports SAML V2.0, and the SP is configured to use the SAML V2.0 Identity Provider Discovery Protocol via the Discovery Service (or some other discovery service), you MUST configure your SP's metadata to include one or more <idpdisc:DiscoveryResponse> extension elements. (In practice, the actual number of such endpoints is implementation-dependent.) The Discovery Service will redirect the unauthenticated user back to the SP at the designated endpoint once the user has selected their preferred identity provider.

Technical Details

Support for SAML V2.0 Web Browser SSO is STRONGLY RECOMMENDED:

  • SPs MUST include an SSL/TLS-protected <idpdisc:DiscoveryResponse> endpoint that supports the SAML V2.0 Identity Provider Discovery Protocol.
  • SPs MUST include an SSL/TLS-protected <md:AssertionConsumerService> endpoint that supports the SAML V2.0 HTTP-POST binding.
  • SPs SHOULD include an SSL/TLS-protected <md:AssertionConsumerService> endpoint that supports the SAML V2.0 HTTP-Artifact binding.
  • SAML V2.0 SPs MUST support XML Encryption by including an encryption key in metadata.

Support for SAML V2.0 Enhanced Client or Proxy is OPTIONAL:

  • SPs SHOULD include an <md:AssertionConsumerService> endpoint that supports the SAML V2.0 Reverse SOAP (PAOS) binding. This endpoint SHOULD be protected by SSL/TLS.
SAML Endpoints in SP Metadata
<!-- SAML V2.0 -->
<md:AssertionConsumerService index="1" 
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
    Location="https://sp.example.org/sso/SAML2/POST"/>
<md:AssertionConsumerService index="2" 
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" 
    Location="https://sp.example.org/sso/SAML2/Artifact"/>
<md:AssertionConsumerService index="3" 
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" 
    Location="https://sp.example.org/sso/SAML2/ECP"/>
Discovery Service Endpoints in SP Metadata
<!-- SAML V2.0 -->
<idpdisc:DiscoveryResponse index="1" 
    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" 
    Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" 
    Location="https://sp.example.org/sso/Login"/>

Note that all of the above endpoints are browser-facing endpoints that run on the default SSL/TLS port (443).

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels