What SAML bindings should I support as a web SSO Service Provider? How is the authenticated user!s info passed back to me?

Question

I!ve a question similar to How To Become a SAML Service Provider, but it misses some part I would like to clear up.

The SAML SSP profile spec describes several possible bindings, and states that the usage depends on SP and IdP setups.

The SAML Conformance and Profiles specifications identify the SAML bindings that can legally be used with these two messages. Specifically, an Authentication Request message can be sent from an SP to an IdP using either the HTTP Redirect Binding, HTTP POST Binding, or HTTP Artifact Binding. The Response message can be sent from an IdP to an SP using either the HTTP POST Binding or the HTTP Artifact Binding. For this pair of messages, SAML permits asymmetry in the choice of bindings used. That is, a request can be sent using one binding and the response can be returned using a different binding. The decision of which bindings to use is typically driven by configuration settings at the IdP and SP systems. Factors such as potential message sizes, whether identity information is allowed to transit through the browser (if not the artifact binding may be required) , etc. must be considered in the choice of bindings.

The first question I have: as a Service Provider, am I free to choose any one of the SP -> IdP bindings, and it will work with any IdP out there, or I should make this configurable in my implementation and support all the bindings? (Nota bene: I will probably integrate an existing saml library to help my life, but I should know what configuration options should I allow and support on my interfaces.)

The second question is about the SamlResponse coming back from the IdP upon successful authentication. As far as I understand, SAML just tells me that the user suucessfully authenticated with the IdP. As a result I would expect to give me back some user identifiers in the Response, like a uid, username or e-mail address that I can query from a local user db or LDAP and run app-specific authorization logics. How can I ask the IdP the user identifier I need and how/where will it be returned? I can't see anthing related to this in the Wikipedia example

Answer 1

1. Depending on what bindings your SAML-IdP and SP server supports, you can choose any combination of binding pair. Typically all major SAML-IdP supports most of binding specified in SAML-spec. Also you have to take security and performance considerations. Artifact is more secure but take two round-trips to complete SAML-Authn process, because it make back-end call communication (unlike POST or Redirect) while sending and receiving SAML messages. If your SAML-IdP and SP server supports binding configuration, then you use those bindings in runtime.

2. NameID format identifies user between IdP and SP, which is sent in SAML Assertion by IdP. It can be emailAddress, unspecified, transient, persistent and few others. Check Section (8.3) Name Identifier Format Identifiers from SAML Spec for more details. Also you could request IdP to send user attributes (that exist in IdP identity-store) in SAML Assertion.