...
The certificates registered by a participant contain at least 2048-bit RSA public keys, are self-signed, are not expired, and do not carry revocation-related extensions.
- Certificate migration is performed in a controlled fashion that does not require participants who follow metadata consumption best practices to specially accommodate the change.
- Service providers include and support an encryption key in SP metadata.
SAML Protocol Endpoints
See Endpoints in Metadata, particularly:
- All endpoints are protected with SSL/TLS.
- All entities support SAML V2.0 Web Browser SSO.
Endpoints in IdP Metadata
...
- IdPs protect all endpoints with SSL/TLS.
- IdPs support SAML V2.0 Web Browser SSO and (optionally) SAML V1.1 Web Browser SSO.
- IdPs support authentication requests via the SAML V2.0 HTTP-Redirect binding and (optionally) the legacy Shibboleth 1.x AuthnRequest protocol.
- IdPs support SAML V2.0 Enhanced Client or Proxy (ECP) authentication requests from non-browser clients via the SAML V2.0 SOAP binding using either Basic Authentication or TLS Client Authentication.
- IdPs (optionally) support SAML V1.1 attribute queries but do not advertise support for SAML V2.0 attribute queries unless necessary.
Endpoints in SP Metadata
...
- SPs protect all endpoints with SSL/TLS.
- SPs support SAML V2.0 Web Browser SSO, the SAML V2.0 Identity Provider Discovery Protocol, and the use of XML Encryption.
- SPs support the SAML V2.0 HTTP-POST binding and (optionally) the SAML V1.1 Browser/POST profile.
- SPs (optionally) support the SAML V2.0 Enhanced Client or Proxy profile.
- SPs that support SAML V1.1 Web Browser SSO also support SAML V1.1 attribute queries.
...