SAML WebSSO profile implementation

Question

I am going to implement ServiceProvider part using SAML 2.0 WebSSO profile. According to the SAML specification, the two supported flows are SP initiated and IDP initiated. I want to implement only IDP initiated flow because of time constraints. Will it work? or is it required to implement both the flows? I dont want to generate any metadata for my SP. Can I still register my SP at IDP without providing any metadata by giving only default Assertion Consumer Service URL?

Answer 1

Short answer is yes it will work but... and yes if it is supported.

About implementing the IDP init SSO. It will work with only IDP init SSO if the IDP supports it. But your implementation will not be conformant with the SAML standard.

SAML does not require one to use metadata, this is just a good way to transport configuration data. If this will work depends if your IDP can be configured without using metadata. I have seen many that can do this.

Answer 2

Agree with @Stefan - no, you don't have to implement both flows.

SAML has many options - generally there is not enough information in the Assertion Consumer Service to fully configure e.g. certificates, public keys, supported endpoints etc.

But if the IDP allows this, you can do it manually - you just have to provide all the bits and pieces. And you'll have to do this again when the certificate expires etc. Metadata makes this all easier.

Java or .NET? If .NET, there are classes available to generate the metadata. Not sure for Java but would be surprised if there aren't.