Is SAML metadata required to comply with SAML2.0 spec?

Question

I was wondering if a SAML solution (Identity Provider or Service Provider) needs to support SAML metadata exchange (i.e. SAML-Metadata specification) in order to be defined as fully compliant to SAML 2.0.

Looking at the SAML conformance document, it is not quite clear whether this is a MUST, a SHOULD or a MAY as per RFC 2119.

Any idea where I should look for?

ref:

• http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf
• http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf

Answer 1

Unfortunately, there's no such thing as SAML 2 compliant so it's a hard one to prove - although the conformance spec does say metadata is part of the standard.

There is the Interoperable SAML 2.0 Profile though. See it at http://saml2int.org/

It's a minimum set of profiles/bindings that I've used (as part of a significantly sized SAML service and software providing company) in the past for this purpose. It defines metadata requirements here: http://saml2int.org/profile/current#section5