Ordering of ACS endpoints
alex.stuart at ed.ac.uk
Wed Dec 9 03:48:11 EST 2015
Your SP is configured to use SAML2 or SAML1 or both depending on the
settings in your shibboleth2.xml file, usually in the SSO element .
The order of the SAML2 and SAML1 tokens determines the preference of
which protocol to use.
The order of the AssertionConsumerService endpoints used in those
protocols is determined by the ordering of the Binding elements in
I suspect that these files have been edited in your system, as I think
that the default settings are SAML2 > SAML1 and POST > Artifact.
You may also find that your config files use SessionInitiators 
instead of the SSO element shorthand. In which case, the order of the
md:AssertionConsumerService endpoints in shibboleth2.xml explicitly
determines the ordering.
On 09/12/2015 07:07, Robert Lowe wrote:
> In the generated metadata I see the ACS endpoints listed in the
> following order.
> * urn:oasis:names:tc:SAML:1.0:profiles:artifact-01
> * urn:oasis:names:tc:SAML:1.0:profiles:browser-post
> * urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
> * urn:oasis:names:tc:SAML:2.0:bindings:PAOS
> * urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
> * urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
> As I understand it this implies that the SAML 2 artifact binding is
> preferred to SAML 2 POST. Is that normal or have I done something in my
> configuration to cause that?
> I don't see anything unusual in the configuration, but I would not have
> expected artifact to be preferred to POST.
> Best regards,
> Robert Lowe
Team Leader - Federated Access Management
EDINA, University of Edinburgh
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
More information about the users