I am trying to implement a SSO that is provided by another website.
The instructions ask me to enter "issuer" info. Which turns out is equivalent to the EntityID URL in the EntityDescriptor.
I am assuming I need to set that URL to some url on my server, but what I cant seem to figure out, is what that URL actually does.
I assume a file needs to be placed at that URL with some information, but I can not seem to work out what that info is.
So what info is required at the EntityID URL in order for this to work?
An Entity ID is a globally unique name for a SAML entity, i.e., your Identity Provider (IdP) or Service Provider (SP). It is how other services identify your entity.
The "audience" will be the service provider and is typically a URL but can technically be formatted as any string of data. If this value is not provided by the SP, try using the ACS. Default Relay State: the URL that users will be directed to after a successful authentication through SAML.
The entity ID must be a URI, but an absolute URL is recommended. If the entity ID is a URL: The host part of the URL must be a name rooted in the organization's primary DNS domain. The URL must not contain a port number, a query string, or a fragment identifier.
SAML metadata is an XML document which contains information necessary for interaction with SAML-enabled identity or service providers. The document contains e.g. URLs of endpoints, information about supported bindings, identifiers and public keys.
The requirement is that the EntityId
is a URI (not URL, in this case the difference between URIs and URLs is important). See "8.3.6 Entity Identifier" in the SAML2 Core spec.
From SAML 2.0 Specification :
8.3.6 Entity Identifier
URI:
urn:oasis:names:tc:SAML:2.0:nameid-format:entity
Indicates that the content of the element is the identifier of an entity that provides SAML-based services (such as a SAML authority, requester, or responder) or is a participant in SAML profiles (such as a service provider supporting the browser SSO profile). Such an identifier can be used in the element to identify the issuer of a SAML request, response, or assertion, or within the element to make assertions about system entities that can issue SAML requests, responses, and assertions. It can also be used in other elements and attributes whose purpose is to identify a system entity in various protocol exchanges.
The syntax of such an identifier is a URI of not more than 1024 characters in length. It is RECOMMENDED that a system entity use a URL containing its own domain name to identify itself.
The
NameQualifier
,SPNameQualifier
, andSPProvidedID
attributes MUST be omitted
It is recommended that the URI is a URL that contains the domain name of the entity.
If you are to expose metadata, the EntityId is used as a well known URL for the meta data of the entity. It is not a requirement to provide meta data at all. If done, the meta data can be provided in any way possible - but the best practice is to publish it at the EntityId URL.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With