SAML Metadata Profile (Draft Proposal)

• An OpenID 2.0-compliant role descriptor's protocolSupportEnumeration MUST include the value
  http://specs.openid.net/auth/2.0

• An OpenID Provider MUST include a <IDPSSODescriptor> element and a <SingleSignOnService> element with a Binding value of http://specs.openid.net/auth/2.0

• An OpenID Relying Party MUST include a <SPSSODescriptor> element and an <AssertionConsumerService> element with a Binding value of http://specs.openid.net/auth/2.0.

The OpenID protocol does not support authentication of the IdP to the SP, and therefore no <KeyDescriptor> is required in the <IDPSSODescriptor> element.

Neither is a <KeyDescriptor> required in the <SPSSODescriptor> element, but it MAY be included to provide a credential by which the IdP can choose to verify the identity in control of a response URL (by matching it to the TLS credential, for example).

Entity Naming

OpenID does not explicitly provide URIs for identifying entities, therefore the following practice is recommended

• The entityID for an OpenID Provider SHOULD be the OpenID endpoint URL. This is the value passed as the openid.op_endpoint parameter in Positive Assertion messages.

• The entityID for an OpenID Relying Party SHOULD be the realm URL. This is the value passed as the openid.realm parameter in Authentication Request messages.