Versions Compared

Old Version 55

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 56

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Configuring Metadata for Discovery

If your SP supports SAML V2.0, and the SP is configured to use the SAML V2.0 Identity Provider Discovery Protocol, you must configure your SP's metadata to include one or more <idpdisc:DiscoveryResponse> elements. If you don't, a request to a properly configured discovery service endpoint (such as the InCommon Discovery Service) will fail.

If you inspect InCommon metadata, you will find extension endpoints such as the following in SP metadata:

Code Block
title<DiscoveryResponse> <idpdisc:DiscoveryResponse> metadata extension element
<DiscoveryResponse
<idpdisc:DiscoveryResponse index="1" 
    xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" 
    Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" 
    Location="https://carmenwiki.osu.edu/Shibboleth.sso/Login" index="1"/>

The namespace and binding attributes attached to the <DiscoveryResponse> <idpdisc:DiscoveryResponse> element are defined in the SAML V2.0 Identity Provider Discovery Protocol and Profile specification. The endpoint location is the return address for the SP, that is, where the Discovery Service returns to once the user's preferred IdP has been determined.

If your SP supports SAML V2.0, and the SP is configured to use the SAML V2.0 Identity Provider Discovery Protocol, you must configure your SP's metadata to include one or more <DiscoveryResponse> elements. If you don't, a request to a properly configured discovery service endpoint (such as the InCommon Discovery Service) will fail.

If Likewise if your SP is configured to issue SAML V2.0 authentication requests, you must add one or more SAML V2.0 <AsssertionConsumerService> <md:AsssertionConsumerService> endpoints to your metadata. (The same is true of SAML V1.1, by the way.) Failure to do so will result in errors when such requests are issued to IdPs, since your metadata will lack sufficient support for the desired protocol.

...

Of course, if your SP supports both SAML V1.1 and SAML V2.0, you have a choice, but clearly SAML V2.0 is preferred since it is more secure and offers a much richer set of deployment options. Note that some SP implementations are sophisticated enough to make a runtime decison based on the supported protocols called out in IdP metadata.

...