An Entity ID is a globally unique name for a SAML entity, i.e., your Identity Provider (IdP) or Service Provider (SP). It is how other services identify your entity. Like any other unique identifiers you share to interoperate with others, making sure your identifier is clear, unique, and permenant is critical for successful continued operation of your service(s). Choose your entity ID carefully and deliberately.
To ensure your Entity ID is globally unique, the Incommon Federation asks that your Entity ID be in the form of a universal resource locator (URL). The DNS domain in the URL needs to be a domain for which you can demonstrate control, typically one belonging to your organization. InCommon will perform domain control validation on a domain you use in your entity ID to verify control.
Services that interoperate with you use your entity ID to look up your metadata. Changing an entity ID once your service (IdP or SP) is in operation leads to complicated change management efforts spanning multiple organizations. Choose your identifier carefully to guard against identifier changes because you've switched out technology, network topology, product versions, cloud service providers, or any criteria that will likely change over time.
An entity ID is a name. It need not be a resolvable web location. SAML entity IDs must be a Universal Resource Identifier (URI). Because an URL if a more familiar form of URI, we adopt URL as the preferred format for an entity ID. Although a URL, it's important to note that an entity ID is a persistent identifier, not a web location. An entity ID need not resolve to an actual web resource. If you do make your entity ID a resolvable web link, the link should point to a web page describing your service and mention that the location is an identifier for your service.
The domain in the entity ID need not match those in the endpoint locations in metadata. A common misconception is that the entity ID must match the endpoint locations for the deployment. This is not required. The entity ID should accurately reflect the organization that owns the entity. Endpoint locations, on the other hand, are resolvable DNS names.
In the early days of the Federation, InCommon assigned an URN (Uniform Resource Name) to all new IdPs, based on the IdP's primary DNS domain name:
You may see those in the InCommon metadata. They are legal and you should accept them as valid entity IDs. However, InCommon no longer issues URNs to IdPs. We also no longer allow URNs as entity IDs for newly registered entities.
Can't find what you are looking for?