SAML Requirements for Identity Providers
The Identity Provider (IdP) you specify for Security Assertion Markup Languag (SAML) single sign-on authentication must:
- Support SAML 2.0 or higher
- Provide a URL for the Service Provider (SP) to programmatically retrieve and refresh the IdP metadata XML
- Handle encrypted NameId in requests sent by the SP
- Sign and encrypt assertions
- Support RSA SHA-256. For more information, see RFC 4051.
- Support the use of the same SP certificate to sign messages and data from the SP to IdP, and to encrypt data from the IdP to SP
- Require the SP metadata to be signed, and must validate the signature
- Sign messages, even if the content, such as an assertion, is signed
- Encrypt the NameId in requests, even if the requests are sent over a secure channel (HTTPS)
- Automatically retrieve and refresh SP metadata from a published URL, and honor the validityPeriod and cacheDuration values
- Get a new X.509 certificate from the SP metadata to support SP certificate rollover
- Support inclusion of groups the authenticated user belongs to through an AttributeStatement. In the Firebox configuration, the default for the attribute name is MemberOf.
- Support the HTTP-Redirect binding for Single Logout Service. If the IdP only supports HTTP-Post binding, this feature must not be enabled when the Access Portal is added to the IdP. Okta is an example of an IdP that only supports HTTP-Post binding.