Versions Compared

Old Version 4

changes.mady.by.user Rasmus Larsson

Saved on

compared with

New Version Current

changes.mady.by.user Rasmus Larsson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Section 2.1.3 – errorURL

Implemented: X 16 June 2025

Description

The errorURL is a metadata element in an Identity Provider (IdP) configuration that points to a web page intended to help users troubleshoot login problems. When a user encounters an issue during authentication, a Relying Party (e.g. a Service Provider) may redirect the user to this URL for guidance or support. Including a valid and accessible errorURL enhances the user experience and aligns with SAML best practices.

...

A generic errorURL is provided by Skolfederation as an example and fallback. More info <here>(länka till en sida som beskriver den)info here.

Section 2.1.6 – SAML certificates (signing)

Implemented: X  16 June 2025

Description

A signing certificate is a critical part of an Identity Provider’s SAML metadata. It ensures that SAML assertions and metadata can be cryptographically validated by relying parties. The certificate is included via a <KeyDescriptor> element, either explicitly marked with use="signing" or with no use attribute at all.

Requirement

...

Section 3.1.4 – SAML certificates (encryption)

Implemented: X 16 June 2025

Description

An encryption certificate is required in a Service Provider’s SAML metadata to allow Identity Providers to encrypt assertions. This certificate must be included using a <KeyDescriptor> element, either explicitly marked with use="encryption" or with no use attribute (which implies general-purpose use, including encryption).

...

Section 3.1.6 – Requested Attributes (SP)

Implemented: X 16 June 2025

Requirement

A Service Provider MUST include at least one AttributeConsumingService element.


Each AttributeConsumingService MUST contain:


  • A ServiceName element with an xml:lang attribute.

  • A ServiceDescription element with an xml:lang attribute.

  • At least one RequestedAttribute.


Each RequestedAttribute MUST include:


  • A Name attribute.

  • A FriendlyName attribute.

  • A NameFormat attribute set to urn:oasis:names:tc:SAML:2.0:attrname-format:uri.


It is strongly recommended to use attribute from the federation’s attribute profile for interoperability purposes.

If an attribute from the attribute profile is used, the FriendlyName MUST exactly match the name defined in the profile.


Examples


Code Block
<AttributeConsumingService index="1"> 
	<ServiceName xml:lang="en">Demo Service</ServiceName> 
	<ServiceDescription xml:lang="en">Used for testing login functionality</ServiceDescription>
	<RequestedAttribute Name="urn:oid:1.2.752.29.4.13" FriendlyName="norEduPersonNIN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" />
</AttributeConsumingService>

...