The InCommon Federation wiki has moved.
We have exciting news! An updated InCommon Federation wiki is now available. Please visit the new InCommon Federation Library for updated content.
This wiki is preserved for historical records only. It will no longer be updated.
We invite you to come check out the new Library. Don't forget to update your bookmarks accordingly.
This is the SAML home page for the InCommon Federation.
What is SAML?
Security Assertion Markup Language (SAML) is an XML-based markup language accompanied by various protocols, bindings, and profiles. Far and away the most important profile (which builds on the other SAML components) is SAML Web Browser SSO, a secure single sign-on solution for cross-domain deployment scenarios. See the #External References section at the end of this document for pointers to reference material and documentation.
Supported Profiles
InCommon recommends that SPs and IdPs support the following protocols and profiles:
Strongly Recommended:
- SAML V2.0 Web Browser SSO
Recommended:
- SAML V2.0 Identity Provider Discovery Protocol
- SAML V2.0 Enhanced Client or Proxy (ECP)
Optional:
- SAML V2.0 Single Logout
- SAML V1.1 Web Browser SSO
See the Endpoints in Metadata wiki page for details regarding SAML profiles, bindings, and protocols in metadata, and the Recommended Practices wiki page for further guidance and recommendations.
Migration to SAML V2.0
InCommon strongly recommends that all entities (IdPs and SPs) support SAML V2.0 Web Browser SSO. The benefits of SAML V2.0 are significant, to both individual participants and the Federation as a whole; see What's New in SAML 2? for more information.
Currently there are a few dozen IdPs in the InCommon Federation that do not support SAML V2.0. Consequently, SPs can not safely ignore legacy SAML V1.1 protocols, which tends to favor the latter over SAML V2.0. As a community, we are caught in a chicken-and-egg situation that can be traced back to those legacy IdPs. If most of those IdPs were to add SAML V2.0 to their portfolio, the dynamics would immediately change, for the benefit of all Federation participants.
To help IdPs support SAML V2.0, we've documented a migration strategy that does not depend an a second IdP. Following our suggestions, IdPs can be safely upgraded to support SAML V2.0 with a minimum of effort. We encourage you to read the documentation carefully so that you can begin to plan your move to SAML V2.0.
For their part, SPs are encouraged to support SAML V2.0 as well. An SP's migration path to SAML V2.0 is actually more complicated than that of the IdP, but if done correctly, an SP can make a smooth transition to SAML V2.0 with little or no disruption to services.
Local Resources
- What's New in SAML 2?
- IdP Support for SAML V2.0
- SP Support for SAML V2.0
- SAML V2.0 Frequently Asked Questions
- Software Guidelines for SAML V2.0
- InCommon Use of SAML V1.1 and V2.0: A Statistical Summary (last updated 2012-05-29)
For historical data on the use of SAML V1.1 and SAML V2.0 in the InCommon Federation, see the CSV files attached to this wiki page.
External References
- Wikipedia resources:
- OASIS SAML Technical Committee