The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

This document contains DRAFT material intended for discussion and comment by the InCommon participant community.  Comments and questions should be sent to the InCommon participants mailing list.

Protocol Endpoints in SP Metadata

The most important endpoint at the SP is the <md:AssertionConsumerService> endpoint. Every SP has at least one such endpoint. SPs that support both SAML V1.1 and SAML V2.0 have at least two such endpoints.

In the InCommon Federation, every SP that supports SAML V2.0 MUST include an <md:AssertionConsumerService> endpoint that supports the SAML V2.0 HTTP-POST binding. Likewise every SP that supports SAML V1.1 MUST include an <md:AssertionConsumerService> endpoint that supports the Browser/POST profile.

It is essential that SPs that issue SAML V2.0 requests ensure their metadata includes SAML V2.0 endpoint(s) for receiving responses. Failure to ensure this will result in runtime failures for users.

Recommended Practice

  • SPs support the SAML V2.0 HTTP-POST binding and SAML V1.1 Browser POST profiles.
  • SPs support the use of XML Encryption when SAML V2.0 is used, and support the use of attribute queries when SAML V1.1 is used.
  • TLS/SSL is used on all user-facing endpoints.

Discovery Service Endpoints in SP Metadata

If your SP supports SAML V2.0, and the SP is configured to use the SAML V2.0 Identity Provider Discovery Protocol via the InCommon Discovery Service, you MUST configure your SP's metadata to include one or more <idpdisc:DiscoveryResponse> extension elements.

Technical Details

Protocol Endpoints in SP Metadata
<md:AssertionConsumerService index="1" 
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
    Location="https://sp.example.org/Shibboleth.sso/SAML2/POST"/>
<md:AssertionConsumerService index="2" 
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
    Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" 
    Location="https://sp.example.org/Shibboleth.sso/SAML/POST"/>
Discovery Service Endpoints in SP Metadata
<idpdisc:DiscoveryResponse index="1" 
    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" 
    Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" 
    Location="https://sp.example.org/Shibboleth.sso/Login"/>

Technical Requirements

Support for SAML V1.1 Web Browser SSO is optional:

  • SPs MUST include an <md:AssertionConsumerService> endpoint that supports the SAML V1.1 Browser/POST profile

Support for SAML V2.0 Web Browser SSO is recommended:

  • SPs MUST include an <md:AssertionConsumerService> endpoint that supports the SAML V2.0 HTTP-POST binding
  • SAML V2.0 SPs MUST support XML Encryption and supply an encryption key

Support for SAML V2.0 Enhanced Client or Proxy is recommended:

  • SPs MUST include an endpoint that supports the SAML V2.0 Reverse SOAP (PAOS) binding
#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels