Once you, as a SaaS Platform Deployer, have selected software (see Building InCommon-Ready Software), you will need to deploy it in a manner that enables a Service Operator to launch a federation-ready service. Luckily, there are multiple resources to help you do that. Most notably, the InCommon Deployment Profile Working Group, in partnership with OASIS and the Kantara Initiative, has provided multiple resources in its Final Report of the InCommon Deployment Profile Working Group.
Specifically, you should:
- Configure your platform to be conformant with the SAML V2.0 Deployment Profile for Federation Interoperability, V2.0 (December 9, 2019), which "...specifies behavior and options that deployments of the SAML V2.0 Web Browser SSO profile [SAML2Prof], and related profiles, are required or permitted to rely on."
- Follow the advice in Choosing the Right Federated User Identifier to select the identifiers you utilize for your users.
- Configure your platform to utilize the Metadata Query Protocol (MDQ) to access federation metadata, as described in SAML V2.0 Implementation Profile for Federation Interoperability. See Metadata Distribution Service Documentation for more information.
- Configure your platform so that it has the ability to include users from multiple identity providers, under the control of the Service Operator. This includes providing a discovery mechanism for associating current users with their identity providers.
- If your platform is designed to present multiple service instances, each with its own Service Operator and user community, provide Service Operators with the ability to include users from multiple identity providers, even if those identity providers' users' are included by other Service Operators.
- Provide tools and documentation to facilitate your Service Operators' responsibilities to deliver services that are fully integrated into the federation, and that meet the expectations of the federation's community.
Other useful references include: