Versions Compared

Old Version 14

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 15

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page shows how to configure set up an SP deployment for SAML V2.0 Web Browser SSO. This applies The procedures apply to new SPs as well as existing SPs migrating from SAML V1.1 to SAML V2.0. We assume the that your SP software has the ability to issue SAML V2.0 requests and consume SAML V2.0 assertions.

Generally speaking, before making any changes to the software configuration, an SP's metadata is updated for SAML V2.0 and allowed to propagate throughout the Federation. Since Web Browser SSO almost always begins at the SP, exposing endpoints in SP metadata that are not supported in software is usually harmless. On the other hand, issuing SAML V2.0 requests without appropriate SAML V2.0 endpoints in metadata is a recipe for disaster!

Configuring the SP

This section shows how to update metadata and configure the SP software for SAML V2.0 Web Browser SSO.

Preconditions:

  • The organization responsible for the SP is an InCommon Federation participant
  • The SP software supports SAML V2.0 Web Browser SSO
  • A deployment choice with respect to IdP discovery (e.g., the SAML V2.0 Identity Provider Discovery Protocol) has been made

...

If the SP deployment will use the SAML V2.0 Identity Provider Discovery Protocol, the software is configured to issue such protocol requests in the presence of an unauthenticated user. Otherwise this configuration step may be omitted in favor of some other approach to IdP discovery.

The Finally the software is also configured to issue SAML V2.0 authentication requests and consume SAML V2.0 assertion responses at step 3. One or more endpoint configurations are required, depending on the <md:AssertionConsumerService> endpoint(s) added to metadata at step 1.

...

Once the SP has been upgraded to SAML V2.0, a natural tendency is test the complete, end-to-end flow. If this works, you 're may be done, but if it doesn't, or you require more targeted testing thorough testing, a targeted test sequence may be required to isolate the problememployed:

  1. Test the SP's ability to consume a SAML V2.0 assertion response
  2. Test the SP's ability to issue a SAML V2.0 authentication request
  3. Test the SP's ability to issue a SAML V2.0 Identity Provider Discovery Protocol request

...