7 SAML V2.0 Browser SSO Deployment Profile
This profile provides requirements and recommendations to deployers of the SAML V2.0 Web Browser SSO Profile [SAML2Prof]. It is layered on, and supplements, the following profiles:
InCommon SAML V2.0 Browser SSO Deployment Profile from [ICSAML2]
Interoperable SAML 2.0 Web Browser SSO Deployment Profile [SAML2Int]
Deployments SHOULD make use of the recommendations contained in [ICSAML2] and [SAML2Int] except where they conflict with this profile. In such cases, this profile MUST be regarded as taking precedence.
Normative requirements of this profile are enforced by the UK federation registrar; metadata not meeting these requirements will not be registered.
7.1 Metadata and Trust Management
It is the responsibility of each deployment to incorporate the metadata supplied
by the UK federation into its trust management infrastructure. It is RECOMMENDED
that use of the metadata conforms to the SAML V2.0 Metadata Interoperability
Profile Version 1.0 [SAML2MIOP] and that metadata be
updated at least daily. Metadata update with a higher frequency than once every
six hours is NOT RECOMMENDED unless constrained by use of the “
for cache management. Metadata update with a higher frequency than once every
hour is NOT RECOMMENDED.
The use of TLS for Assertion Consumer Service endpoints is REQUIRED.
Provision of metadata supporting the Identity Provider Discovery Service Protocol Profile [IdPDisco] is RECOMMENDED.
It is RECOMMENDED that any
<saml2:Attribute> elements exchanged via any SAML
2.0 messages, assertions, or metadata conform to the MACE-Dir Attribute Profile
for SAML 2.0 [MACEAttr]. This includes any use of
<md:RequestedAttribute> elements in entity metadata.
7.3 Authentication Requests
7.3.1 Binding and Security Requirements
The use of TLS on endpoints at which an Identity Provider receives a
<saml2p:AuthnRequest> message, and for all all subsequent exchanges with the
user agent, is REQUIRED.
7.4.1 Binding and Security Requirements
The use of TLS on endpoints at which a Service Provider receives a
<saml2p:Response> message is REQUIRED.
[SAML2Int] Move to Kantara
The [SAML2Int] specification was developed independently rather than within a formal standards body. It is anticipated that this specification will be migrated to the Kantara initiative and brought under that organisation’s change control.
Once the migration process has been completed, this specification will be modified to refer to the stable Kantara-based version of [SAML2Int].