SAML 1.1 IdP connecting to Shibboleth SP

Cantor, Scott cantor.2 at
Wed Nov 26 18:06:43 EST 2014

On 11/26/14, 10:11 PM, "Matthew Vliet" <matt.vliet at> wrote:

>I'm currently trying to connect a SAML 1.1 based IdP (Jasig CAS) to our 
>existing Shibboleth 2.5 SP and having some issues with configuration on 
>the SP side.  Any help or pointers to the correct docs is greatly 

Your questions would be addressed in part by reading the SAML 1.1 
bindings/profiles material on artifact format to understand what goes into 
them and how they are meant to map to the issuer. Since you've actually 
done some legwork to see what's happening, I'm happy to answer here, but 
you should skim the artifact definitions if you need more details.

>tl;dr Is it possible to configure a Shibboleth SP to accept SAML 1.1 
>Artifact based logins where the Issuer is not the address of the IdP 


In SAML 1.1, a type 01 artifact contains a 20 byte SourceID that is 
supposed to map to the artifact lookup URL of an IdP in an unspecified 
way. A type 02 artifact contains the URL explicitly (and is therefore not 
fixed length).

When metadata is used, and the SAML 2.0 concept of an entityID and proper 
separation of names and locations is in play, the SourceID is by 
convention the SHA-1 hash of the entityID, which is mapped to the entityID 
and then to the metadata to identify the endpoint. If the SourceID is not 
the hash, then it can be specified in the IdP's metadata with a standard 
extension element. The SP maintains a mapping by checking for the 
extension, and otherwise hashing the entityID to track all the SourceIDs.

>I have written a metadata file for the SAML1.1 IdP as follows:

That's fine, but only if the SourceID in the artifact is the hash of that 

>If the entityID is of the form "https://localhost:8443", then It will 
>correctly match the metadata to the artifact and successfully complete 
>the SOAP artifact resolution and return a SAML assertion such as:

That, I guess, means that the CAS implementation is in fact using the hash 
of that value as the SourceID, but that's not the issuer value it's using. 
So you'd have to add a SourceID extension to the metadata.

>Is what I'm doing possible?  If so what is the correct way to specify the 
>metadata of the idp?

>Can you specify the entityID in the Artifact URL when sending the 


-- Scott

More information about the users mailing list