Is SAML metadata required to comply with SAML2.0 spec?

1
votes

I was wondering if a SAML solution (Identity Provider or Service Provider) needs to support SAML metadata exchange (i.e. SAML-Metadata specification) in order to be defined as fully compliant to SAML 2.0.

Looking at the SAML conformance document, it is not quite clear whether this is a MUST, a SHOULD or a MAY as per RFC 2119.

Any idea where I should look for?

ref:

1
xmlmetadatasamlsaml-2.0
If you don't support metadata how will the service and identity providers recognise and interact with each other? The SAML specs are really /terrible/ when it comes to this kind of thing btw.tom
That's precisely the problem I'm trying to solve. We have a 3rd party saying he's SAML 2.0 compliant but doesn't support metadata exchange. We basically need to do everything manually, define the assertions, manually import certificate (and each time certs are renewed), etc. Here I'm trying to get a clear statement that their solution is not SAML 2.0 compliant which breaks our contract.northox
Ah. That's crazy. SAML metadata is the standard way of exchanging, er, metadata about SAML services.tom

1 Answers

1
votes

Unfortunately, there's no such thing as SAML 2 compliant so it's a hard one to prove - although the conformance spec does say metadata is part of the standard.

There is the Interoperable SAML 2.0 Profile though. See it at http://saml2int.org/

It's a minimum set of profiles/bindings that I've used (as part of a significantly sized SAML service and software providing company) in the past for this purpose. It defines metadata requirements here: http://saml2int.org/profile/current#section5