Enterprise SSO
SAML requirements
Sighted accepts only signed SAML 2.0 assertions from IdPs with signing certificates published in metadata.
Required IdP behavior
- Assertions and responses must be signed.
- Signatures must use RSA-SHA256 or stronger. SHA-1 and MD5 are rejected.
- IdP metadata must include an X.509 signing certificate.
- The assertion issuer must match the IdP entity ID in metadata.
- The audience restriction must match the Sighted SP entity ID.
- The assertion must include valid NotBefore and NotOnOrAfter conditions.
- The response must match an AuthnRequest created in the last 10 minutes.