OpenIDMetadataProfile
SAML Metadata Profile (Draft Proposal)
- An OpenID 2.0-compliant role descriptor's
protocolSupportEnumeration
MUST include the value
http://specs.openid.net/auth/2.0
- An OpenID Provider MUST include a
<IDPSSODescriptor>
element and a<SingleSignOnService>
element with aBinding
value ofhttp://specs.openid.net/auth/2.0
- An OpenID Relying Party MUST include a
<SPSSODescriptor>
element and an<AssertionConsumerService>
element with aBinding
value ofhttp://specs.openid.net/auth/2.0
.
The OpenID protocol does not support authentication of the IdP to the SP, and therefore no <KeyDescriptor>
is required in the <IDPSSODescriptor>
element.
Neither is a <KeyDescriptor>
required in the <SPSSODescriptor>
element, but it MAY be included to provide a credential by which the IdP can choose to verify the identity in control of a response URL (by matching it to the TLS credential, for example).
Entity Naming
OpenID does not explicitly provide URIs for identifying entities, therefore the following practice is recommended
- The entityID for an OpenID Provider SHOULD be the OpenID endpoint URL. This is the value passed as the
openid.op_endpoint
parameter in Positive Assertion messages.
- The entityID for an OpenID Relying Party SHOULD be the realm URL. This is the value passed as the
openid.realm
parameter in Authentication Request messages.