Addition of SAML2 support for SP

Jayashree Ravi jravi123 at
Thu Nov 8 14:56:29 EST 2012

Thanks Ian,  We started the process of updating our metadata in other federations as well to include the SAML2 endpoints just to be on the safer side.

Subject: Re: Addition of SAML2 support for SP
From: ian at
Date: Thu, 8 Nov 2012 17:02:54 +0000
To: users at

On 8 Nov 2012, at 16:50, Jayashree Ravi <jravi123 at> wrote:<SessionInitiator type="Chaining" Location="/Login"                        id="Login" relayState="cookie">            <SessionInitiator type="Shib1" defaultACSIndex="1" />              <SessionInitiator type="SAML2" template="bindingTemplate.html" outgoingBindings="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POSTurn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"  />                  </SessionInitiator>
So we are guessing that based on session initiator configuration, it first tries SAML1.1 and if that fails with the IDP it switches to SAML2. […]  Since we could not get the answer for this behavior from the documentation we need help in understanding this.
Some relevant documentation is here:
In particular:Chaining SessionInitiatorIdentified by type="Chaining", wraps a sequence of SessionInitiator handlers so that they run in series. The series ends when a handler indicates that a response to the browser was returned.
So, as you are running the SAML 1 protocol handler first, if it succeeds (if the IdP supports SAML 1 and the handler redirects your client to the IdP) then the SAML 2 protocol handler will not run (as you guessed).
So want to confirm that none of our existing IDP's will fail because of us not registering our SAML2 endpoints with all the existing federations as yet.
Probably correct.  It's hard to be definitive, though, and minimising the time during which your metadata is different in different places will certainly minimise the chance of problems.
	-- Ian

To unsubscribe from this list send an email to users-unsubscribe at 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list