Detailed technical requirements from the SAML 2.0 interface

Basic technical requirements

This chapter describes the basic, technical requirements of the SAML 2.0 interface.

Time Synchronisation

The SAML protocol issues messages that are valid for a limited period of time. In any system that issues or consumes SAML structures, MUST ensure precise time synchronisation. E.g. by means of Network Time Protocol (NTP).

SAML Assertion Consumer Service (ACS) URL

The destination address of the response of the eIAM-Web PEP (from the perspective of the application of the Identity Provider) to the AuthnRequest of the application is fixed and is preconfigured in the metadaten of the application. The application MUST therefore accept the SAML response, the logout request and the logout response on a fixed URL each.

As an alternative the destination address of the response of the eIAM-Web PEP to the AuthnRequest of the application can be given with the SAML 2.0 AuthnRequest. As a precondition, the AuthnRequests of the application MUST be signed to avoid CSRF-Attacks. The eIAM-Web PEP will return the SAML 2.0 response to this URL.