The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 27 Next »

This document contains DRAFT material intended for discussion and comment by the InCommon participant community.  Comments and questions should be sent to the InCommon participants mailing list.

Endpoints in SP Metadata

This page gives guidance and recommendations regarding SAML endpoints in SP metadata. Endpoints in Metadata are crucial to the overall security and interoperability of SAML protocol exchanges.

An endpoint in metadata signals support for a specific profile of SAML. In particular, all SPs in InCommon metadata MUST support SAML2 Web Browser SSO by including certain browser-facing SSO endpoints in metadata. Support for any other profile is strictly OPTIONAL.

Endpoint Requirements

The most important endpoint in SP metadata is the <md:AssertionConsumerService> endpoint. Every SP MUST have at least one such endpoint in metadata.

In the InCommon Federation, every SP that supports SAML V2.0 Web Browser SSO MUST include an <md:AssertionConsumerService> endpoint that supports the SAML V2.0 HTTP-POST binding. Occasionally an IdP will respond with an artifact, and therefore an SP SHOULD also include an <md:AssertionConsumerService> endpoint that supports the SAML V2.0 HTTP-Artifact binding.

Single Logout Endpoints

A single topic covering Single Logout Endpoints in both IdP and SP metadata will be found elsewhere in this wiki.

Discovery Service Endpoints in SP Metadata

If your SP supports SAML V2.0, and the SP is configured to use the SAML V2.0 Identity Provider Discovery Protocol, you MUST configure your SP's metadata to include one or more <idpdisc:DiscoveryResponse> extension elements. (In practice, the actual number of such endpoints is implementation-dependent.) A discovery service will redirect the unauthenticated user back to the SP at the designated endpoint once the user has selected their preferred identity provider.

Technical Details

Support for SAML V2.0 Web Browser SSO is REQUIRED:

  • SPs MUST include an SSL/TLS-protected <md:AssertionConsumerService> endpoint that supports the SAML V2.0 HTTP-POST binding.
  • SPs SHOULD include an SSL/TLS-protected <md:AssertionConsumerService> endpoint that supports the SAML V2.0 HTTP-Artifact binding.
  • SPs MAY include an SSL/TLS-protected <idpdisc:DiscoveryResponse> endpoint that supports the SAML V2.0 Identity Provider Discovery Protocol.

Support for SAML V2.0 Enhanced Client or Proxy is OPTIONAL:

  • SPs SHOULD include an <md:AssertionConsumerService> endpoint that supports the SAML V2.0 Reverse SOAP (PAOS) binding. This endpoint SHOULD be protected by SSL/TLS.
SAML Endpoints in SP Metadata
<!-- SAML V2.0 -->
<md:AssertionConsumerService index="1" 
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
    Location="https://sp.example.org/sso/SAML2/POST"/>
<md:AssertionConsumerService index="2" 
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" 
    Location="https://sp.example.org/sso/SAML2/Artifact"/>
Discovery Service Endpoints in SP Metadata
<!-- SAML V2.0 -->
<idpdisc:DiscoveryResponse index="1" 
    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" 
    Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" 
    Location="https://sp.example.org/sso/Login"/>

Note that all of the above endpoints are browser-facing endpoints that run on the default SSL/TLS port (443).

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels