[Prev]

2.2.2 SAML

Given the already broad adoption of SAML 2.0 by the eGovernment and academic communities across the world (e.g. DK, NZ, FI, etc.), this choice is effectively already made for us. By choosing SAML 2.0 we enable many existing eGovernment and academic projects easily to become TAS3 compliant in future.

  1. TAS3 adopts SAML 2.0 Assertions, see [SAML2core], as primary and recommended token format. Alternatives such as SAML 1.1 or Simple Web Token (SWT) [Hardt09] were considered either obsolete or not yet mature. In future we may consider supporting SWT and X509 attribute certificates as token format. This will become especially relevant when architecture is extended to support RESTful services approaches.

  2. TAS3 adopts SAML 2.0 as primary and RECOMMENDED SSO system, see [SAML2core]. (Req. D1.2-3.10-JITPerm)

  3. TAS3 RECOMMENDS that SAML 2.0 implementations are Liberty Alliance Certified.

  4. SAML 1.0, 1.1 [SAML11core], 1.2, as well as Liberty ID-FF 1.2 [IDFF12] MAY be supported

  5. Redirect - POST SSO profile MUST be supported by all front channel participants, see [SAML2prof] and [SAML2bind].

  6. Redirect - Artifact - SOAP SSO profile MUST be supported in IdP and SHOULD be supported in Front End (SP), see [SAML2prof] and [SAML2bind].

  7. Redirect Single Logout Profile MUST be supported, see [SAML2prof] and [SAML2bind].

  8. IdP Extended Profile, see [SAML2conf], namely IdP Proxying, MUST be supported

  9. Other SAML profiles MAY be supported

  10. SAML metadata MUST be supported, see [SAML2meta]

  11. Well Known Location (WKL) method of metadata publishing MUST be supported, see [SAML2meta] section 4.1 "Publication and Resolution via Well-Known Location", p.29, for normative description of this method. Support for WKL method for metadata acquisition is RECOMMENDED.

    N.B. Publishing metadata using WKL at its most basic form is as simple as placing a (hand edited) metadata file in the web root at the place referenced by the EntityID of the site. Many software packages handle this automatically and may even generate the metadata dynamically, on the fly.

  12. In redirect binding [RFC1951] deflate compression MUST be used. [RFC1952] format MUST NOT be used.

[Prev | Next]