Versions Compared

Old Version 26

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 27

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

An entity ID is a globally unique name given to a SAML entity, either an Identity Provider (IdP) or a Service Provider (SP). The first step in any permanent SAML deployment is to choose a name for the entity. Please do so carefully and deliberately.

...

An entity ID MUST be a URI. It is strongly RECOMMENDED that an entity ID be an absolute URL.

...

In particular, using URNs as entity IDs is NOT RECOMMENDED.

Note

...

InCommon will verify that all submitted entity IDs meet the following requirements:

  • An entity ID: 1) MUST be a URI, 2) SHOULD be an absolute URL, and 3) SHOULD NOT be a URN.
  • The entity ID MUST be globally unique to avoid name collisions both within the Federation and across federations.
  • If the entity ID is a URL (which is strongly RECOMMENDED), then:
    • the host part of the URL MUST be a name rooted in the organization's Primary DNS Domain
    • the URL MUST NOT contain a port number, a query string, or a fragment identifier

If a site administrator submits metadata with some other form of entity ID, a manual vetting process is triggered, which may delay the approval process.

A common misconception is that the entity ID must match the endpoint locations for the deployment. This is not required and is often not the case. Unlike the endpoint locations, the entity ID accurately reflects the organization that owns the entity. Endpoint locations, on the other hand, are resolvable DNS names. An entity ID may or may not actually resolve to a web resource. (If it does, it is usually a page that describes the deployment.)

...