6 SAML V2.0 Browser SSO Implementation Profile
This profile specifies behaviour and options that implementations of the SAML V2.0 Web Browser SSO Profile [SAML2Prof] are required to support. It is layered on, and supplements, the InCommon SAML V2.0 Browser SSO Implementation Profile from [ICSAML2].
Compliance with this profile is RECOMMENDED for all SAML products intended for use within the UK federation.
Although the UK federation does not mandate compliance with this profile as a requirement for deployment, software which does not comply with this profile may not interoperate with a significant proportion of other entities and deployment of such software is therefore NOT RECOMMENDED.
Implementations MUST comply with all normative requirements of the InCommon SAML V2.0 Browser SSO Implementation Profile [ICSAML2], except that for the time being the following requirements are relaxed:
support of the use of the “
ETag” header for metadata cache management is strongly RECOMMENDED
support of the Identity Provider Discovery Service Protocol Profile in conformance with section 2.4.1 of [IdPDisco] is strongly RECOMMENDED
Implementations SHOULD include support for all non-normative recommendations of [ICSAML2].
Implementations MUST support the verification of digital signatures over
metadata documents where the digital signature makes use of the SHA-256
cryptographic hash function as defined in
[FIPS180-4]. SHA-256 MUST be supported both as
<ds:DigestMethod> and as a component of the
Implementations SHOULD support the verification of digital signatures over both
metadata and SAML messages where the digital signature makes use of SHA-256,
SHA-384 or SHA- 512, see [FIPS180-4]. Each such
function SHOULD be supported as the
<ds:DigestMethod> and as a component of
<ds:SignatureMethod>. Support for SHA-224 is OPTIONAL.
Implementations SHOULD support a deployment option allowing the selection of the
cryptographic hash functions to use when generating digital signatures over SAML
messages. To avoid accidental misconfiguration, it is RECOMMENDED that a single
configuration option be provided to select the cryptographic hash function to
use in both the