This document contains DRAFT material intended for discussion and comment by the InCommon participant community. Comments and questions should be sent to the InCommon participants mailing list.
This page gives guidance and recommendations regarding endpoints in IdP metadata. Endpoints in Metadata are crucial to the overall security of SAML protocol exchanges.
Protocol Endpoints in IdP Metadata
The most important endpoint in IdP metadata is the <md:SingleSignOnService>
endpoint. Every IdP MUST have at least one such endpoint in metadata. In general, an IdP includes an <md:SingleSignOnService>
endpoint for each combination of binding and protocol it wishes to support.
In the InCommon Federation, every IdP that supports SP-initiated SAML V2.0 Web Browser SSO MUST include an SSL/TLS-protected <md:SingleSignOnService>
endpoint that supports the SAML V2.0 HTTP-Redirect binding. (Other SAML V2.0 HTTP bindings, such as the HTTP-POST binding or the HTTP-POST-SimpleSign binding, MAY be supported.) Likewise every IdP that supports the legacy Shibboleth profile of SAML V1.1 MUST include an SSL/TLS-protected <md:SingleSignOnService>
endpoint that supports the Shibboleth 1.x AuthnRequest
protocol.
An IdP that supports SAML V2.0 Artifact Resolution (or the SAML V1.1 Browser/Artifact profile) MUST include one or more <md:ArtifactResolutionService>
endpoints in metadata (at least one per protocol). Support for artifact resolution is OPTIONAL, but some SPs don't function well with a POST-based model so IdPs SHOULD support the artifact resolution to avoid problems with those SPs.
Finally, IdPs that support attribute query MUST have one or more <md:AttributeService>
endpoints in metadata. This is typically only a SAML V1.1 consideration, however. Generally an <md:AttributeService>
endpoint that supports the SAML V2.0 SOAP binding SHOULD NOT be included in IdP metadata to avoid unnecessary queries from SAML V2.0 SPs.
Recommended Practices
- IdPs protect all endpoints with SSL/TLS.
- IdPs support SAML V2.0 (and optionally SAML V1.1).
- IdPs support authentication requests via the SAML V2.0 HTTP-Redirect binding and (optionally) the legacy Shibboleth 1.x
AuthnRequest
protocol. - IdPs support SAML V2.0 Enhanced Client or Proxy (ECP) authentication requests from non-browser clients via the SAML V2.0 SOAP binding using either Basic Authentication or TLS Client Authentication.
- IdPs (optionally) support SAML V1.1 attribute queries but do not advertise support for SAML V2.0 attribute queries unless necessary.
Technical Details
Support for SAML V2.0 Web Browser SSO is STRONGLY RECOMMENDED:
- IdPs that participate in SP-initiated flows MUST include an SSL/TLS-protected
<md:SingleSignOnService>
endpoint that supports the SAML V2.0 HTTP-Redirect binding. - IdPs MAY include an
<md:ArtifactResolutionService>
endpoint that supports the SAML V2.0 SOAP binding. This endpoint SHOULD be protected by SSL/TLS. - IdPs SHOULD NOT include an
<md:AttributeService>
endpoint that supports the SAML V2.0 SOAP binding. - IdPs MUST support the
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
name identifier format and SHOULD support theurn:oasis:names:tc:SAML:2.0:nameid-format:persistent
name identifier format.
Support for SAML V2.0 Enhanced Client or Proxy is RECOMMENDED:
- IdPs SHOULD include an
<md:SingleSignOnService>
endpoint that supports the SAML V2.0 SOAP binding with either HTTP Basic Authentication or TLS Client Authentication. This endpoint SHOULD be protected by SSL/TLS.
Support for SAML V1.1 Web Browser SSO is OPTIONAL:
- IdPs that participate in SP-initiated flows MUST include an SSL/TLS-protected
<md:SingleSignOnService>
endpoint that supports the Shibboleth 1.xAuthnRequest
protocol. - IdPs MAY include an
<md:ArtifactResolutionService>
endpoint that supports the SAML V1.1 SOAP binding and the SAML V1.1 Browser/Artifact profile. This endpoint SHOULD be protected by SSL/TLS. - IdPs SHOULD include an
<md:AttributeService>
endpoint that supports the SAML V1.1 SOAP binding. This endpoint SHOULD be protected by SSL/TLS. - IdPs MUST support the
urn:mace:shibboleth:1.0:nameIdentifier
transient name identifier format.
<!-- SAML V2.0 --> <md:SingleSignOnService xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.example.org/idp/profile/SAML2/Redirect/SSO"/> <md:SingleSignOnService xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.example.org/idp/profile/SAML2/SOAP/ECP"/> <md:ArtifactResolutionService xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.example.org:8443/idp/profile/SAML2/SOAP/ArtifactResolution"/> <!-- SAML V1.1 --> <md:SingleSignOnService xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://idp.example.org/idp/profile/Shibboleth/SSO"/> <md:AttributeService xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.example.org:8443/idp/profile/SAML1/SOAP/AttributeQuery"/> <md:ArtifactResolutionService xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" Binding="urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding" Location="https://idp.example.org:8443/idp/profile/SAML1/SOAP/ArtifactResolution"/>