OpenIDMetadataProfile

SAML Metadata Profile (Draft Proposal)

  • An OpenID 2.0-compliant role descriptor's protocolSupportEnumeration MUST include the value
    http://specs.openid.net/auth/2.0
  • An OpenID Provider MUST include a <IDPSSODescriptor> element and a <SingleSignOnService> element with a Binding value of http://specs.openid.net/auth/2.0
  • An OpenID Relying Party MUST include a <SPSSODescriptor> element and an <AssertionConsumerService> element with a Binding value of http://specs.openid.net/auth/2.0.

The OpenID protocol does not support authentication of the IdP to the SP, and therefore no <KeyDescriptor> is required in the <IDPSSODescriptor> element.

Neither is a <KeyDescriptor> required in the <SPSSODescriptor> element, but it MAY be included to provide a credential by which the IdP can choose to verify the identity in control of a response URL (by matching it to the TLS credential, for example).

Entity Naming

OpenID does not explicitly provide URIs for identifying entities, therefore the following practice is recommended

  • The entityID for an OpenID Provider SHOULD be the OpenID endpoint URL. This is the value passed as the openid.op_endpoint parameter in Positive Assertion messages.
  • The entityID for an OpenID Relying Party SHOULD be the realm URL. This is the value passed as the openid.realm parameter in Authentication Request messages.