SAML2 Attribute Query

Ian Young ian at
Mon Nov 5 04:58:15 EST 2012

On 4 Nov 2012, at 18:17, Mike Wiseman <mike.wiseman at> wrote:

> I'm configuring a commercial service provider to work with our shib IdP. The SP wants to use the SAML 2 artifact resolution profile and insists that the authn and attribute transactions be handled over one port - 443. I don't know why - perhaps they're using something other than shib for the SP.  I'm sure the answer to this is no but since I haven't seen any use of artifact resolution in SAML 2, just want to confirm.

In the UK federation, we've had a number of problems with the use of the same port for both browser-facing operations (authentication) and SOAP operations (artifact resolution and attribute query), due to the current vagaries in SSL renegotiation.

Obviously there are combinations in which it works just fine, but an OS update or something like that at either end can suddenly break things.  If your partner hasn't come across this problem yet, they have been lucky.  In the UK, we therefore recommend that people not use the same port for everything.  Some old IdPs still do, but we now enforce separation for new registrations.

	-- Ian

-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
Url : 

More information about the users mailing list