This page gives guidance and recommendations regarding SAML endpoints in SP metadata. Endpoints in Metadata are crucial to the overall security of SAML protocol exchanges.
SAML Endpoints in SP Metadata
The most important endpoint in SP metadata is the <md:AssertionConsumerService>
endpoint. Every SP MUST have at least one such endpoint in metadata. SPs that support both SAML V1.1 and SAML V2.0 have at least two such endpoints.
In the InCommon Federation, every SP that supports SAML V2.0 Web Browser SSO MUST include an <md:AssertionConsumerService>
endpoint that supports the SAML V2.0 HTTP-POST binding. Occasionally an IdP will respond with an artifact, and therefore an SP SHOULD also include an <md:AssertionConsumerService>
endpoint that supports the SAML V2.0 HTTP-Artifact binding. Other bindings (such as the HTTP-POST-SimpleSign binding) MAY be supported.
IMPORTANT! SPs that issue SAML V2.0 authentication requests MUST ensure that their metadata includes one or more SAML V2.0 endpoints for receiving responses. An encryption key MUST also be included in metadata. Failure to do so will result in runtime failures for users.
Likewise every SP that supports SAML V1.1 Web Browser SSO MUST include an <md:AssertionConsumerService>
endpoint that supports the Browser/POST profile. The Browser/Artifact profile MAY be supported as well.
An SP that supports the SAML V2.0 Enhanced Client or Proxy (ECP) profile SHOULD include an additional <md:AssertionConsumerService>
endpoint that supports the SAML V2.0 Reverse SOAP (PAOS) binding. (Non-browser clients don't typically rely on this endpoint information, however.) The SP authenticates the non-browser client using either Basic Authentication or TLS Client Authentication.
Under normal circumstances, an SP does not include an <md:ArtifactResolutionService>
endpoint that supports incoming requests for artifact resolution. In the InCommon Federation, the use of artifacts for this purpose is NOT RECOMMENDED.
Discovery Service Endpoints in SP Metadata
If your SP supports SAML V2.0, and the SP is configured to use the SAML V2.0 Identity Provider Discovery Protocol via the InCommon Discovery Service (or some other discovery service), you MUST configure your SP's metadata to include one or more <idpdisc:DiscoveryResponse>
extension elements. The Discovery Service will redirect the unauthenticated user back to the SP at the designated endpoint once the user has selected their preferred identity provider.
Technical Details
Support for SAML V2.0 Web Browser SSO is STRONGLY RECOMMENDED:
- SPs MUST include an SSL/TLS-protected
<idpdisc:DiscoveryResponse>
endpoint that supports the SAML V2.0 Identity Provider Discovery Protocol. - SPs MUST include an SSL/TLS-protected
<md:AssertionConsumerService>
endpoint that supports the SAML V2.0 HTTP-POST binding. - SPs SHOULD include an SSL/TLS-protected
<md:AssertionConsumerService>
endpoint that supports the SAML V2.0 HTTP-Artifact binding. - SAML V2.0 SPs MUST support XML Encryption by including an encryption key in metadata.
Support for SAML V2.0 Enhanced Client or Proxy is OPTIONAL:
- SPs SHOULD include an
<md:AssertionConsumerService>
endpoint that supports the SAML V2.0 Reverse SOAP (PAOS) binding. This endpoint SHOULD be protected by SSL/TLS.
Support for SAML V1.1 Web Browser SSO is OPTIONAL:
- SPs MUST include an SSL/TLS-protected
<md:AssertionConsumerService>
endpoint that supports the SAML V1.1 Browser/POST profile. - SPs MAY include an SSL/TLS-protected
<md:AssertionConsumerService>
endpoint that supports the SAML V1.1 Browser/Artifact profile.
<!-- SAML V2.0 --> <md:AssertionConsumerService index="1" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp.example.org/sso/SAML2/POST"/> <md:AssertionConsumerService index="2" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://sp.example.org/sso/SAML2/Artifact"/> <md:AssertionConsumerService index="3" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://sp.example.org/sso/SAML2/ECP"/> <!-- SAML V1.1 --> <md:AssertionConsumerService index="4" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://sp.example.org/sso/SAML1/POST"/>
<!-- SAML V2.0 --> <idpdisc:DiscoveryResponse index="1" xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://sp.example.org/sso/Login"/>