Application Stages and Metadata Generation

Cantor, Scott cantor.2 at
Tue Nov 8 17:02:32 GMT 2011

On 11/8/11 11:38 AM, "Jonathan Champ" <jonathan_champ at> wrote:
>I meant that I was interested in seeing a literal example. I understand
>that the absolute endpoints for each vhost must be in the metadata.

I suspect there are examples in the federation metadata scattered around
various countries, such as InCommon's.

>The Shibboleth.sso/Metadata on each vhost is correct for that vhost.

It's an example. It's incomplete. It's got stuff in it that some
deployments might not need or even shouldn't have. Etc.

>It sounds like you are saying that "The IdP software does not use
>the RequestInitiator, ArtifactResolutionService or SingleLogoutService
>portions of the SP Metadata".

The RequestInitiator element has no functional role is primarily for
documentation purposes. An ArtifactResolutionService element is used for
sending outbound messages using the artifact binding. The IdP does not
support inbound artifacts. And the IdP does not support SAML logout, so
the latter element is also unused.

>My understanding of your response is: "When a user hits a Shibboleth
>page that requires a new session, the page sends the response location
>with the Login request. The response location is one of the
>AssertionConsumerService endpoints which is listed in the Metadata
>provided by the SP to the IdP." If that is correct, then I fully expect
>the Metadata that I linked to in my previous e-mail will function
>correctly for Login.


>If possible, I would like for Logout to work correctly. Does the
>response location get sent by the SP during Logout or does the IdP
>attempt to trigger Logout from its end?

The IdP doesn't support Logout unless you add an extension. The response
location is not sent with a LogoutRequest, there's no place to put it. It
is the case that the response from a logout-supporting IdP can be
mistargeted. A UI for logout tends to leave you at the IdP and the
response to the original SP is a clean up message that doesn't do much.
But it's possible to construct a logout UI that would break in such a case.

-- Scott

More information about the users mailing list