Shibboleth IdP 2.3.8 and SAML1 token

Cantor, Scott cantor.2 at
Wed Feb 13 19:42:26 EST 2013

On 2/13/13 4:59 PM, "Abba Yadav" <APY at> wrote:

>I am relatively new to Shibboleth and I have integrated an Shibboleth SP
>2.5.1 with a Shibboleth IdP 2.3.8 and SAML2 tokens are generated
>correctly. Now I have to integrate the Shibboleth IdP with a service
>provider that can only accept SAML1 tokens. Do I have to change anything
>in the Shibboleth IdP to generate SAML1 tokens or correct SAML1 tokens
>will be generated when the Service Provider makes SSO request.
There is no concept in SAML 1.1 of a request. The only request flow the
IdP understands for SAML 1.1 profile use is the Shibboleth request profile
that was created to get around that limitation. To get it to issue that
version of response, that's the kind of request you have to send to it.

No commercial SP will make such a request so you will have to trigger this
redirect to the IdP on its behalf.

> Currently I do not have access to a Service Provider that only accepts
>SAML1 tokens.

Yes, you do, Shibboleth. Just turn off SAML2 support in it in a fairly
obvious way, delete SAML2 from the protocol list in <SSO>.

-- Scott

More information about the users mailing list