This page gives guidance and recommendations regarding legacy SAML1 endpoints in IdP metadata.
New IdPs SHOULD avoid advertising SAML1 endpoints in metadata. |
Support for SAML V1.1 Web Browser SSO is OPTIONAL:
<md:SingleSignOnService>
endpoint that supports the Shibboleth 1.x AuthnRequest
protocol.<md:ArtifactResolutionService>
endpoint that supports the SAML V1.1 SOAP binding and therefore the SAML V1.1 Browser/Artifact profile. This endpoint MUST be protected by SSL/TLS unless message-based signing is used.<md:AttributeService>
endpoint that supports the SAML V1.1 SOAP binding. This endpoint MUST be protected by SSL/TLS unless message-based signing is used.urn:mace:shibboleth:1.0:nameIdentifier
transient name identifier format.<!-- SAML V1.1 --> <md:SingleSignOnService xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://idp.example.org/idp/profile/Shibboleth/SSO"/> <md:AttributeService xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.example.org:8443/idp/profile/SAML1/SOAP/AttributeQuery"/> <md:ArtifactResolutionService index="1" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.example.org:8443/idp/profile/SAML1/SOAP/ArtifactResolution"/> |
Note that the browser-facing <md:SingleSignOnService>
endpoint runs on the default TLS port (443) while the back-channel endpoints typically run on some non-standard port (such as 8443 in the examples above).