SAML 1.1 Artifact

Tom Scavo trscavo at
Thu Jan 19 12:44:50 GMT 2012

On Thu, Jan 19, 2012 at 1:15 AM, Chandra Tondepu
<chandrasekhar.tondepu at> wrote:
> I need the following information to set up Shibboleth as IDP and Siteminder
> FSS as SP using SAML 1.1 Artifact binding for SSO.
> (1) Siteminder FSS is asking for SourceID of IDP, how do I get the SourceID
> of Shibboleth IDP?

The SourceId is an arbitrary sequence of bytes. In practice, the
SourceId is the 20-byte SHA-1 hash of the IdP entityID. I believe
that's what the Shibboleth IdP uses as well, so send them that (or
just send them your entityID and let them compute the hash).

> (2) I have bookmarked /Authn/UserPassword of IDP which is giving me an
> error, to invoke the IDP to send a SAML Artifact to the SP , where should I
> start?

Invoke the IdP using a Shibboleth AuthnRequest. The format of that
request is documented in the Shibboleth Protocol Specification:

> (3) How should my IntersiteTransferService URL be?

The ITS is strictly a SAML V1.1 concept. In the Shibboleth IdP (which
supports both SAML V1.1 and V2.0), the corresponding concept is the
SingleSignOnService (which is a SAML V2.0 term). Presumably Siteminder
needs to know the location of a SingleSignOnService endpoint that
supports the SAML V1.1 artifact profile. Send them that.

> (4) At the first cut, I want to ignore signing and encryption in local
> environment, so I turned it off in handler.xml and relying-party.xml and
> ensuring the server starts without errors on Service Provider configuration.
>  Would this be enough? Or should I check anything else?

SAML V1.1 doesn't support encryption at all so you can simply forget
about that. You should turn signing back on since there is no security
without it. But you're right, getting the RP to properly verify the
signature on the assertion/response may be a challenge.

> (5) Siteminder as SP gives two options (1) the assertion consumer
> service/saml credential collector can take basic auth (2) saml credential
> collector can do client certificate authentication, if I want to do basic
> auth with Shibboleth IDP, how can I initiate this?

That doesn't make any sense since authentication occurs on the IdP
side. What do you mean when you say "Siteminder as SP gives two

Of course, if Siteminder knew how to consume SAML metadata, then most
of this out-of-band communication would not be necessary. Oh well.


More information about the users mailing list