SAML Metadata Profile (Draft Proposal)
- An OpenID 2.0-compliant role descriptor's
protocolSupportEnumerationMUST include the value
- An OpenID Provider MUST include a
<IDPSSODescriptor>element and a
<SingleSignOnService>element with a
- An OpenID Relying Party MUST include a
<SPSSODescriptor>element and an
<AssertionConsumerService>element with a
The OpenID protocol does not support authentication of the IdP to the SP, and therefore no
<KeyDescriptor> is required in the
Neither is a
<KeyDescriptor> required in the
<SPSSODescriptor> element, but it MAY be included to provide a credential by which the IdP can choose to verify the identity in control of a response URL (by matching it to the TLS credential, for example).
OpenID does not explicitly provide URIs for identifying entities, therefore the following practice is recommended
- The entityID for an OpenID Provider SHOULD be the OpenID endpoint URL. This is the value passed as the
openid.op_endpointparameter in Positive Assertion messages.
- The entityID for an OpenID Relying Party SHOULD be the realm URL. This is the value passed as the
openid.realmparameter in Authentication Request messages.