protocolSupportEnumeration
MUST include the valuehttp://specs.openid.net/auth/2.0
<IDPSSODescriptor>
element and a <SingleSignOnService>
element with a Binding
value of http://specs.openid.net/auth/2.0
<SPSSODescriptor>
element and an <AssertionConsumerService>
element with a Binding
value of http://specs.openid.net/auth/2.0
.The OpenID protocol does not support authentication of the IdP to the SP, and therefore no <KeyDescriptor>
is required in the <IDPSSODescriptor>
element.
Neither is a <KeyDescriptor>
required in the <SPSSODescriptor>
element, but it MAY be included to provide a credential by which the IdP can choose to verify the identity in control of a response URL (by matching it to the TLS credential, for example).
OpenID does not explicitly provide URIs for identifying entities, therefore the following practice is recommended
openid.op_endpoint
parameter in Positive Assertion messages.openid.realm
parameter in Authentication Request messages.