6 SAML V2.0 Browser SSO Implementation Profile

This profile specifies behaviour and options that implementations of the SAML V2.0 Web Browser SSO Profile [SAML2Prof] are required to support. It is layered on, and supplements, the InCommon SAML V2.0 Browser SSO Implementation Profile from [ICSAML2].

Compliance with this profile is RECOMMENDED for all SAML products intended for use within the UK federation.

Although the UK federation does not mandate compliance with this profile as a requirement for deployment, software which does not comply with this profile may not interoperate with a significant proportion of other entities and deployment of such software is therefore NOT RECOMMENDED.

Implementations MUST comply with all normative requirements of [SAML2Prof], as modified by the Approved Errata [SAML2Err].

Implementations MUST comply with all normative requirements of the InCommon SAML V2.0 Browser SSO Implementation Profile [ICSAML2], except that for the time being the following requirements are relaxed:

Implementations SHOULD include support for all non-normative recommendations of [ICSAML2].

Implementations MUST support the verification of digital signatures over metadata documents where the digital signature makes use of the SHA-256 cryptographic hash function as defined in [FIPS180-4]. SHA-256 MUST be supported both as the <ds:DigestMethod> and as a component of the <ds:SignatureMethod>.

Implementations SHOULD support the verification of digital signatures over both metadata and SAML messages where the digital signature makes use of SHA-256, SHA-384 or SHA- 512, see [FIPS180-4]. Each such function SHOULD be supported as the <ds:DigestMethod> and as a component of the <ds:SignatureMethod>. Support for SHA-224 is OPTIONAL.

Implementations SHOULD support a deployment option allowing the selection of the cryptographic hash functions to use when generating digital signatures over SAML messages. To avoid accidental misconfiguration, it is RECOMMENDED that a single configuration option be provided to select the cryptographic hash function to use in both the <ds:DigestMethod> and <ds:SignatureMethod> contexts.