SAML metadata sholud be exchanged manually or programatically

Question

I have started saml implemetation in java using opensaml. I have few questions:

1. I know that before sending saml request to IDP, we need to register idp with sp using metadata. Do we need to manually exchange this metadata?
2. Is it possible to implement saml in a way where IDp can be any?
3. Is it necessary to implement both sp initiated and idp initiated SAML?

Answer 1

1. It depends on the IDP implementation. Most IDPs allow you to copy and paste the meta-data or set the URL for the SP meta-data file.

2. Basically yes. But keep in mind you'll have to support many types of SAML flow configurations. Note that every implementation can have different options, such as - the binding that will be used (redirect/post), with or without artifacts, with or without encryption, type of encryption and signing algorithms, and more... I suggest you stick to the basic scenario you need to implement.

3. It depends on your flow.

   • if the user starts the authentication flow from the SP, then you need to implement the SP initiated flow.
   • If the user already authenticated to the IDP and move to the SP from there, then you need to implement IDP initiated flow.

If both are a viable scenario for you, then implement both.

Hope it helps