I am trying to implement a SSO that is provided by another website.
The instructions ask me to enter "issuer" info. Which turns out is equivalent to the EntityID URL in the EntityDescriptor.
I am assuming I need to set that URL to some url on my server, but what I cant seem to figure out, is what that URL actually does.
I assume a file needs to be placed at that URL with some information, but I can not seem to work out what that info is.
So what info is required at the EntityID URL in order for this to work?
The requirement is that the EntityId
is a URI (not URL, in this case the difference between URIs and URLs is important). See "8.3.6 Entity Identifier" in the SAML2 Core spec.
From SAML 2.0 Specification :
8.3.6 Entity Identifier
URI:
urn:oasis:names:tc:SAML:2.0:nameid-format:entity
Indicates that the content of the element is the identifier of an entity that provides SAML-based services (such as a SAML authority, requester, or responder) or is a participant in SAML profiles (such as a service provider supporting the browser SSO profile). Such an identifier can be used in the element to identify the issuer of a SAML request, response, or assertion, or within the element to make assertions about system entities that can issue SAML requests, responses, and assertions. It can also be used in other elements and attributes whose purpose is to identify a system entity in various protocol exchanges.
The syntax of such an identifier is a URI of not more than 1024 characters in length. It is RECOMMENDED that a system entity use a URL containing its own domain name to identify itself.
The
NameQualifier
,SPNameQualifier
, andSPProvidedID
attributes MUST be omitted
It is recommended that the URI is a URL that contains the domain name of the entity.
If you are to expose metadata, the EntityId is used as a well known URL for the meta data of the entity. It is not a requirement to provide meta data at all. If done, the meta data can be provided in any way possible - but the best practice is to publish it at the EntityId URL.