Addition of SAML2 support for SP

Jayashree Ravi jravi123 at hotmail.com
Thu Nov 8 11:50:11 EST 2012 

We are an SP and  we are trying to add SAML2 support as one of the federations we are joining does not support SAML1.1 at all.  So we added the following SessionInitiators in our shibboleth2.xml file
<SessionInitiator type="Chaining"
Location="/Login"

                        id="Login"
relayState="cookie">

           
<SessionInitiator type="Shib1"
defaultACSIndex="1" />   

           
<SessionInitiator type="SAML2"
template="bindingTemplate.html"
outgoingBindings="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST 

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"  />

                  </SessionInitiator>

 

                  <md:AssertionConsumerService
Location="/SAML/POST"

                        index="3"
Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" />

 

           
<md:AssertionConsumerService Location="/SAML2/POST"
index="1"

               
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>

Now the question: As per the wiki documentation at https://spaces.internet2.edu/display/InCCollaborate/SP+Support+for+SAML2 we are supposed to add SAML2 ACS points in the federation metadata first and then change the software with the above configuration. However since our current concern is to only support  the new federation, we did not add SAML2 ACS point in all the other existing federations but we exposed this as the only ACS point in the new federation metadata.  With test accounts that we have used so far across both existing and new federation, all of them are passing. So we are guessing that based on session initiator configuration, it first tries SAML1.1 and if that fails with the IDP it switches to SAML2.  If an IDP supports both 1 and 2 then it switches to 1 still otherwise it switches to 2 which is only happening with the new federations as all the IDP's in the existing federations support both. 
Since we could not get the answer for this behavior from the documentation we need help in understanding this.
So want to confirm that none of our existing IDP's will fail because of us not registering our SAML2 endpoints with all the existing federations as yet.
Any inputs would be appreciated.
ThanksJayashree

 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20121108/30d4b196/attachment.html

More information about the users mailing list