When procuring services, it is common for bidders to say that they support SAML - but when we come to testing we normally find that their support is limited or does not meet all the requirements that we have. Consider using the following wording in RFQs and also speak to the T&I team both before you send out the RFQ and ask them to look over responses. We are happy to help.
- The solution must support a standardised implementation of the SAML WebSSO profile: http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf. Compliance with SAML2Int is preferred: https://kantarainitiative.github.io/SAMLprofiles/saml2int.html.
- The solution must support eduPerson for handling user attributes: https://wiki.refeds.org/display/STAN/eduPerson.
- The solution must support mulitlateral federation and the ability to support login from multiple organisations / domains via eduGAIN: https://edugain.org/.
- The solution must make its Service Provider (SP) metadata available in xml format as either a url (preferred) or xml file.
- The solution must implement signing of metadata via an X.509 certificate.