SAML Requirements for Identity Providers

The Identity Provider (IdP) you specify for Security Assertion Markup Languag (SAML) single sign-on authentication must:

  • Support SAML 2.0 or higher
  • Provide a URL for the Service Provider (SP) to programmatically retrieve and refresh the IdP metadata XML
  • Handle encrypted NameId in requests sent by the SP
  • Sign and encrypt assertions
  • Support RSA SHA-256. For more information, go to RFC 4051.
  • Support the use of the same SP certificate to sign messages and data from the SP to IdP, and to encrypt data from the IdP to SP
  • Require the SP metadata to be signed, and must validate the signature
  • Sign messages, even if the content, such as an assertion, is signed
  • Encrypt the NameId in requests, even if the requests are sent over a secure channel (HTTPS)
  • Automatically retrieve and refresh SP metadata from a published URL, and honor the validityPeriod and cacheDuration values
  • Get a new X.509 certificate from the SP metadata to support SP certificate rollover
  • Support inclusion of groups the authenticated user belongs to through an AttributeStatement. In the Firebox configuration, the default for the attribute name is MemberOf.
  • Support the HTTP-Redirect binding for Single Logout Service. If the IdP only supports HTTP-Post binding, this feature must not be enabled when the Access Portal is added to the IdP. Okta is an example of an IdP that only supports HTTP-Post binding.

Related Topics

About SAML Single Sign-On

Configure SAML Single Sign-On

About the Access Portal