The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

This document contains DRAFT material intended for discussion and comment by the InCommon participant community.  Comments and questions should be sent to the InCommon participants mailing list.

This page gives guidance and recommendations regarding endpoints in SP metadata. Endpoints in Metadata are crucial to the overall security of SAML protocol exchanges.

Protocol Endpoints in SP Metadata

The most important endpoint in SP metadata is the <md:AssertionConsumerService> endpoint. Every SP MUST have at least one such endpoint in metadata. SPs that support both SAML V1.1 and SAML V2.0 have at least two such endpoints.

In the InCommon Federation, every SP that supports SAML V2.0 Web Browser SSO MUST include an <md:AssertionConsumerService> endpoint that supports the SAML V2.0 HTTP-POST binding. Occasionally an IdP will respond with an artifact, and therefore an SP SHOULD also include an <md:AssertionConsumerService> endpoint that supports the SAML V2.0 HTTP-Artifact binding. Other bindings (such as the HTTP-POST-SimpleSign binding) MAY be supported.

IMPORTANT! SPs that issue SAML V2.0 authentication requests MUST ensure that their metadata includes one or more SAML V2.0 endpoints for receiving responses. An encryption key MUST also be included in metadata. Failure to do so will result in runtime failures for users.

Likewise every SP that supports SAML V1.1 Web Browser SSO MUST include an <md:AssertionConsumerService> endpoint that supports the Browser/POST profile. The Browser/Artifact profile MAY be supported as well.

An SP that supports the SAML V2.0 Enhanced Client or Proxy (ECP) profile SHOULD include an additional <md:AssertionConsumerService> endpoint that supports the SAML V2.0 Reverse SOAP (PAOS) binding. (Non-browser clients don't typically rely on this endpoint information, however.) The SP authenticates the non-browser client using either Basic Authentication or TLS Client Authentication.

Under normal circumstances, an SP does not include an <md:ArtifactResolutionService> endpoint that supports incoming requests for artifact resolution. In the InCommon Federation, the use of artifacts for this purpose is NOT RECOMMENDED.

Recommended Practices

  • SPs protect all endpoints with SSL/TLS.
  • SPs support SAML V2.0 Web Browser SSO, the SAML V2.0 Identity Provider Discovery Protocol, and the use of XML Encryption.
  • SPs support the SAML V2.0 HTTP-POST binding and (optionally) the SAML V1.1 Browser/POST profile.
  • SPs (optionally) support the SAML V2.0 Enhanced Client or Proxy profile.
  • SPs support the use of attribute queries when SAML V1.1 is used.

Discovery Service Endpoints in SP Metadata

If your SP supports SAML V2.0, and the SP is configured to use the SAML V2.0 Identity Provider Discovery Protocol via the InCommon Discovery Service (or some other discovery service), you MUST configure your SP's metadata to include one or more <idpdisc:DiscoveryResponse> extension elements. The Discovery Service will redirect the unauthenticated user back to the SP at the designated endpoint once the user has selected their preferred identity provider.

Technical Details

Support for SAML V2.0 Web Browser SSO is STRONGLY RECOMMENDED:

  • SPs MUST include an SSL/TLS-protected <idpdisc:DiscoveryResponse> endpoint that supports the SAML V2.0 Identity Provider Discovery Protocol.
  • SPs MUST include an SSL/TLS-protected <md:AssertionConsumerService> endpoint that supports the SAML V2.0 HTTP-POST binding.
  • SPs SHOULD include an SSL/TLS-protected <md:AssertionConsumerService> endpoint that supports the SAML V2.0 HTTP-Artifact binding.
  • SAML V2.0 SPs MUST support XML Encryption by including an encryption key in metadata.

Support for SAML V2.0 Enhanced Client or Proxy is OPTIONAL:

  • SPs SHOULD include an <md:AssertionConsumerService> endpoint that supports the SAML V2.0 Reverse SOAP (PAOS) binding. This endpoint SHOULD be protected by SSL/TLS.

Support for SAML V1.1 Web Browser SSO is OPTIONAL:

  • SPs MUST include an SSL/TLS-protected <md:AssertionConsumerService> endpoint that supports the SAML V1.1 Browser/POST profile.
  • SPs MAY include an SSL/TLS-protected <md:AssertionConsumerService> endpoint that supports the SAML V1.1 Browser/Artifact profile.
Protocol Endpoints in SP Metadata
<!-- SAML V2.0 -->
<md:AssertionConsumerService index="1" 
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
    Location="https://sp.example.org/sso/SAML2/POST"/>
<md:AssertionConsumerService index="2" 
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" 
    Location="https://sp.example.org/sso/SAML2/Artifact"/>
<md:AssertionConsumerService index="3" 
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" 
    Location="https://sp.example.org/sso/SAML2/ECP"/>

<!-- SAML V1.1 -->
<md:AssertionConsumerService index="4" 
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
    Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" 
    Location="https://sp.example.org/sso/SAML1/POST"/>
Discovery Service Endpoints in SP Metadata
<!-- SAML V2.0 -->
<idpdisc:DiscoveryResponse index="1" 
    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" 
    Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" 
    Location="https://sp.example.org/sso/Login"/>
#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels