Understanding Entity ID and reply URL for SAML

Release: 6.7.5.14

An Entity ID is a globally unique name for a SAML entity, i.e., your Identity Provider (IdP) or Service Provider (SP). It is how other services identify your entity. Like any other unique identifiers, you share to interoperate with others, making sure your identifier is clear, unique, and permanent is critical for the successful continued operation of your service(s). Choose your entity ID carefully and deliberately.

How to choose a good Entity ID

An Entity ID MUST be globally unique.

To ensure your Entity ID is globally unique, the Incommon Federation asks that your Entity ID be in the form of a universal resource locator (URL). The DNS domain in the URL needs to be a domain for which you can demonstrate control, typically one belonging to your organization. InCommon will perform domain control validation on a domain you use in your entity ID to verify control.

Tips for creating a clear, meaningful entity ID

• An entityID SHOULD be an absolute URL starting with “https://” or “http://”; an URL-based entity ID starting with
• "https://" is more flexible than one starting with "http://"
• The URL SHOULD NOT contain a port number, a query string, or a fragment identifier
• The host part of the URL SHOULD NOT contain the substring “www”
• The URL SHOULD NOT end with a slash (/)
• An entityID SHOULD NOT be more than 30 characters in length
• Include the substring "IDP" in an IdP entity ID
• Include the substring "sp" in an SP Entity ID
• Do not include the substring "incommon" in an entity ID
• Do not include the name of your SAML software in an entity ID ("shibboleth", "adfs", "php", etc.)

Additional notes

An entity ID is a name. It need not be a resolvable web location. SAML entity IDs must be a Universal Resource Identifier (URI). Because an URL is a more familiar form of URI, we adopt URL as the preferred format for an entity ID. Although a URL, it's important to note that an entity ID is a persistent identifier, not a web location. An entity ID need not resolve to an actual web resource. If you do make your entity ID a resolvable web link, the link should point to a web page describing your service and mention that the location is an identifier for your service.

The domain in the entity ID need not match those in the endpoint locations in the metadata. A common misconception is that the entity ID must match the endpoint locations for the deployment. This is not required. The entity ID should accurately reflect the organization that owns the entity. Endpoint locations, on the other hand, are resolvable DNS names. 

Examples of well-formed entity IDs

IdP names:

https://comp.example.com/idp

SP names:

https://comp.example.net/sp
https://myapp.example.com/sp

The entities (IDP and SP) must be federated before authentication can occur. During federation, configuration data is exchanged in metadata files. Each entity publishes information about itself in these files and publishes them to a specific location, for example, on the internet or a network drive. When the entities share metadata, they establish and agree on the parameters that they will use for authentication requests and responses. They also share information such as:

Entity IDs, which entities use to identify themselves to each other. For example, the Entity ID tells the IDP if an authentication request comes from a federated relying party.

So, the entity ID would be supplied by the identity provider (IDP) and isn't generated from the ProxySG. For a more practical guide, please refer to the Safenet (non-Broadcom) doc. with the URL below.

https://resources.safenetid.com/help/Bluecoat%20ProxySG/Index.htm

A SAML identity provider is a system entity that issues authentication assertions in conjunction with a single sign-on (SSO) profile of the Security Assertion Markup Language (SAML).