What to present at SAML EntityID URL?

Charlie Smith picture Charlie Smith · Jun 13, 2014 · Viewed 53.6k times · Source

I am trying to implement a SSO that is provided by another website.

The instructions ask me to enter "issuer" info. Which turns out is equivalent to the EntityID URL in the EntityDescriptor.

I am assuming I need to set that URL to some url on my server, but what I cant seem to figure out, is what that URL actually does.

I assume a file needs to be placed at that URL with some information, but I can not seem to work out what that info is.

So what info is required at the EntityID URL in order for this to work?

Answer

Anders Abel picture Anders Abel · Jun 13, 2014

The requirement is that the EntityId is a URI (not URL, in this case the difference between URIs and URLs is important). See "8.3.6 Entity Identifier" in the SAML2 Core spec.

From SAML 2.0 Specification :

8.3.6 Entity Identifier

URI: urn:oasis:names:tc:SAML:2.0:nameid-format:entity

Indicates that the content of the element is the identifier of an entity that provides SAML-based services (such as a SAML authority, requester, or responder) or is a participant in SAML profiles (such as a service provider supporting the browser SSO profile). Such an identifier can be used in the element to identify the issuer of a SAML request, response, or assertion, or within the element to make assertions about system entities that can issue SAML requests, responses, and assertions. It can also be used in other elements and attributes whose purpose is to identify a system entity in various protocol exchanges.

The syntax of such an identifier is a URI of not more than 1024 characters in length. It is RECOMMENDED that a system entity use a URL containing its own domain name to identify itself.

The NameQualifier , SPNameQualifier , and SPProvidedID attributes MUST be omitted

It is recommended that the URI is a URL that contains the domain name of the entity.

If you are to expose metadata, the EntityId is used as a well known URL for the meta data of the entity. It is not a requirement to provide meta data at all. If done, the meta data can be provided in any way possible - but the best practice is to publish it at the EntityId URL.