The SAML 2.0 Web SSO -profile of Haka is based on the common SAML V2.0 Deployment Profile for Federation Interoperability profile. Haka profile additions and corrections to Kantata profile are listed below.

Haka's additions and correctives to Kantara profile

Haka's SAML profile additions to SAML V2.0 Deployment Profile for Federation Interoperability:

• The use of algorithms other than those specified in the profile is at the discretion of the IdP maintenance [SDP-ALG01]
• The minimum size of the RSA key used in the certificate of new and updated IdP and SP servers registered with Haka, including self-signed certificates, must be 4096 bits [SDP-MD06]
• The use of EC keys in Haka services is not recommended due to compatibility challenges. [SDP-MD07]
• SubjectID must be supported, but legacy identifiers may also be used [SDP-SP13],[SDP-SP14],[SDP-SP15]
• IdPs must also support legacy services that only accept persistent identifiers [SDP-IDP15], [SDP-IDP16], [SDP-IDP17]
• If the SP does not support multiple signing certificates, this may cause downtime for the SP. [SDP-SP37] [SDP-SP38]

• The attributes passed in Haka are described and defined in FunetEduPerson-schema.

• Scoped attributes. In FunetEduPerson-schema, two scoped attributes exist: eduPersonPrincipalName and eduPersonScopedAffiliation. Home organizations are allowed to populate the attributes only by using the scopes that they own (for example: ePPN account1@csc.fi is allowed only for IdP owned by CSC). It is recommended that services exploiting scoped attributes would verify this definition. The list of allowed scopes is published within Haka-metadata by the operator.