The information on this page has been superseded and should be regarded as historical. For most purposes, you should use the current edition of this document instead.

7 SAML V2.0 Browser SSO Deployment Profile

This profile provides requirements and recommendations to deployers of the SAML V2.0 Web Browser SSO Profile [SAML2Prof]. It is layered on, and supplements, the following profiles:

  1. InCommon SAML V2.0 Browser SSO Deployment Profile from [ICSAML2]

  2. Interoperable SAML 2.0 Web Browser SSO Deployment Profile [SAML2Int]

Deployments SHOULD make use of the recommendations contained in [ICSAML2] and [SAML2Int] except where they conflict with this profile. In such cases, this profile MUST be regarded as taking precedence.

Normative requirements of this profile are enforced by the UK federation registrar; metadata not meeting these requirements will not be registered.

7.1 Metadata and Trust Management

It is the responsibility of each deployment to incorporate the metadata supplied by the UK federation into its trust management infrastructure. It is RECOMMENDED that use of the metadata conforms to the SAML V2.0 Metadata Interoperability Profile Version 1.0 [MetaIOP] and that metadata be updated at least daily. Metadata update with a higher frequency than once every six hours is NOT RECOMMENDED unless constrained by use of the “ETag” header for cache management. Metadata update with a higher frequency than once every hour is NOT RECOMMENDED.

The use of TLS for Assertion Consumer Service endpoints is REQUIRED.

Provision of metadata supporting the Identity Provider Discovery Service Protocol Profile [IdPDisco] is RECOMMENDED.

7.2 Attributes

It is RECOMMENDED that any <saml2:Attribute> elements exchanged via any SAML 2.0 messages, assertions, or metadata conform to the MACE-Dir Attribute Profile for SAML 2.0 [MACEAttr]. This includes any use of <md:RequestedAttribute> elements in entity metadata.

7.3 Authentication Requests

7.3.1 Binding and Security Requirements

The use of TLS on endpoints at which an Identity Provider receives a <saml2p:AuthnRequest> message, and for all all subsequent exchanges with the user agent, is REQUIRED.

7.4 Responses

7.4.1 Binding and Security Requirements

The use of TLS on endpoints at which a Service Provider receives a <saml2p:Response> message is REQUIRED.

7.5 Future Directions

7.5.1 [SAML2Int] Move to Kantara

The [SAML2Int] specification was developed independently rather than within a formal standards body. It is anticipated that this specification will be migrated to the Kantara initiative and brought under that organisation’s change control.

Once the migration process has been completed, this specification will be modified to refer to the stable Kantara-based version of [SAML2Int].