Shibboleth 2.4.3 SAML2 and WAYF

Cantor, Scott cantor.2 at
Fri Jan 13 20:40:53 GMT 2012

On 1/13/12 3:21 PM, "Law, Bob" <Robert.Law at> wrote:

>Our WAYF simply lists the federations and when selected the entities
>that belong to the federation.  It then redirects the browser to the
>entity for login.

The EDS is oriented around a very different UI from that, mainly because
users do not know what federations are and cannot be expected to choose
one. I don't believe it can be easily used to reproduce such a UI, but I
wouldn't know.

The stand alone DS on the other hand can almost certainly produce a UI
along those lines.

>If the embedded DS does not support saml1 then we won't be able to use
>it.  Doesn't the SSO tag allow both saml1 and saml2?  Is it just the
>code in shibboleth that won't send out saml1?

I didn't say anything like that. The DS protocol is SSO protocol agnostic.
It doesn't know or care what the SSO protocol will be. There are multiple
protocols involved here, one for discovery and another for SSO.

The SP supports all SAML versions unless it's configured not to.

-- Scott

More information about the users mailing list