Force SAML 1 with Login handler?

Cantor, Scott cantor.2 at
Fri Sep 23 22:23:46 BST 2011

On 9/23/11 5:12 PM, "Tom Poage" <tfpoage at> wrote:

>Is there a way from the client/IdP side to force using SAML 1 when
>visiting the /Login handler?

Not without messing with your metadata, but now that you mention it, that
isn't a crazy feature to request (hint). I'm not sure why that never
occurred to me. I think I convinced myself it's some kind of security
risk, but that logic doesn't really hold.

>(If not, since we maintain a launch URL for the SP, perhaps we can fall
>back to the SAML 1 /Shibboleth/SSO profile handler)

In that scenario, you certainly can control it, yes.

-- Scott

More information about the users mailing list