The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

This document contains DRAFT material intended for discussion and comment by the InCommon participant community.  Comments and questions should be sent to the InCommon participants mailing list.

This page gives guidance and recommendations regarding endpoints in SP metadata. Endpoints in Metadata are crucial to the overall security of SAML protocol exchanges.

Protocol Endpoints in SP Metadata

The most important endpoint in SP metadata is the <md:AssertionConsumerService> endpoint. Every SP has at least one such endpoint. SPs that support both SAML V1.1 and SAML V2.0 have at least two such endpoints.

In the InCommon Federation, every SP that supports SAML V2.0 MUST include an <md:AssertionConsumerService> endpoint that supports the SAML V2.0 HTTP-POST binding. Likewise every SP that supports SAML V1.1 MUST include an <md:AssertionConsumerService> endpoint that supports the Browser/POST profile.

IMPORTANT! SPs that issue SAML V2.0 authentication requests MUST ensure that their metadata includes SAML V2.0 endpoint(s) for receiving responses. (The same is true of SAML V1.1.) Failure to do so will result in runtime failures for users.

Under normal circumstances, an SP does not support the SAML V2.0 HTTP-Artifact binding (i.e., incoming requests for artifact resolution). In the InCommon Federation, the use of HTTP-Artifact for this purpose is NOT RECOMMENDED.

An SP may choose to support the SAML V2.0 Enhanced Client or Proxy profile for access to non-browser applications. In such cases, an SP MUST include in metadata an <md:AssertionConsumerService> endpoint that supports the SAML V2.0 Reverse SOAP (PAOS) binding.

Recommended Practices

  • SPs protect all endpoints with SSL/TLS.
  • SPs support SAML V2.0 Web Browser SSO, the SAML V2.0 Identity Provider Discovery Protocol, and the use of XML Encryption.
  • SPs support the SAML V2.0 HTTP-POST binding and (optionally) the SAML V1.1 Browser/POST profile.
  • SPs (optionally) support the SAML V2.0 Enhanced Client or Proxy profile.
  • SPs support the use of attribute queries when SAML V1.1 is used.

Discovery Service Endpoints in SP Metadata

If your SP supports SAML V2.0, and the SP is configured to use the SAML V2.0 Identity Provider Discovery Protocol via the InCommon Discovery Service (or some other discovery service), you MUST configure your SP's metadata to include one or more <idpdisc:DiscoveryResponse> extension elements. The Discovery Service will redirect the unauthenticated user to this endpoint once the user has selected their preferred identity provider.

Technical Details

Support for SAML V2.0 Web Browser SSO is STRONGLY RECOMMENDED:

  • SPs MUST include an SSL/TLS-protected <md:AssertionConsumerService> endpoint that supports the SAML V2.0 HTTP-POST binding.
  • SPs MUST include an SSL/TLS-protected <idpdisc:DiscoveryResponse> endpoint that supports the SAML V2.0 Identity Provider Discovery Protocol.
  • SPs SHOULD NOT support the SAML V2.0 HTTP-Artifact binding.
  • SAML V2.0 SPs MUST support XML Encryption and supply an encryption key.

Support for SAML V2.0 Enhanced Client or Proxy is OPTIONAL:

  • SPs MUST include an <md:AssertionConsumerService> endpoint that supports the SAML V2.0 Reverse SOAP (PAOS) binding. This endpoint SHOULD be protected by SSL/TLS.

Support for SAML V1.1 Web Browser SSO is OPTIONAL:

  • SPs MUST include an SSL/TLS-protected <md:AssertionConsumerService> endpoint that supports the SAML V1.1 Browser/POST profile.
Protocol Endpoints in SP Metadata
<!-- SAML V2.0 -->
<md:AssertionConsumerService index="1" 
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
    Location="https://sp.example.org/Shibboleth.sso/SAML2/POST"/>
<md:AssertionConsumerService index="2" 
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" 
    Location="https://sp.example.org/Shibboleth.sso/SAML2/ECP"/>

<!-- SAML V1.1 -->
<md:AssertionConsumerService index="3" 
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
    Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" 
    Location="https://sp.example.org/Shibboleth.sso/SAML/POST"/>
Discovery Service Endpoints in SP Metadata
<!-- SAML V2.0 -->
<idpdisc:DiscoveryResponse index="1" 
    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" 
    Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" 
    Location="https://sp.example.org/Shibboleth.sso/Login"/>
#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels