SAML metadata negotiation process

Question

I'm a Service Provider (SP) who wants to support multiple Identity Providers (IdP) via Web SSO profile.

I'm struggling to understand how should I negotiate SAML features (e.g. signing/not signing AuthnRequests) with Identity Provider admins.

Here's my current understanding:

1. I create a single sp-metadata.xml which I expose to all IdPs who want to integrate with me.
2. To integrate with me, IdP admins upload their idp-metadata.xml via my web interface. I validate it against my sp-metadata.xml. If their metadata features don't match with my metadata features, I show them a detailed error on upload so they can change their setup.

Questions:

1. Is this a valid and common approach?
2. How do I write SP metadata to support all or most IdPs out-of-the-box? For example, should I put "AuthnRequestsSigned = false" or "AuthnRequestsSigned = true"? It seems that Web SSO Profile does not give strict guidance on this.

Answer 1

About 2: You can not really validate the IdP meta data against your SP meta data. Most IdP's do not tell if they accept a digitally signed SAML AuthnRequest. They also typically do not tell which signature algorithm or keysizes they support.

Some IdP implementation do not even create SAML meta data schema compliant meta data files.

If you care about security, then you should digitally sign the SAML AuthnRequest and either ask the IdP to ignore the signature in case your SP sends it.

Also note that there some update to the spec for some time ... see the new processing rules.

Alternative: During upload ask (checkbox/radio button) if they can handle a digitally signed SAML AuthnRequest and which signature algorithm has to be used.

I.e. Microsoft ADFS and Azure AD bail out with an non-descriptive SAML error response if they can not handle the SAML AuthnRequest.