Ordering of ACS endpoints

Alex Stuart alex.stuart at ed.ac.uk
Wed Dec 9 03:48:11 EST 2015

Your SP is configured to use SAML2 or SAML1 or both depending on the
settings in your shibboleth2.xml file, usually in the SSO element [1].
The order of the SAML2 and SAML1 tokens determines the preference of
which protocol to use.

The order of the AssertionConsumerService endpoints used in those
protocols is determined by the ordering of the Binding elements in

I suspect that these files have been edited in your system, as I think
that the default settings are SAML2 > SAML1 and POST > Artifact.

You may also find that your config files use SessionInitiators [2]
instead of the SSO element shorthand. In which case, the order of the
md:AssertionConsumerService endpoints in shibboleth2.xml explicitly
determines the ordering.


[1] https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO


On 09/12/2015 07:07, Robert Lowe wrote:
> In the generated metadata I see the ACS endpoints listed in the
> following order.
>   * urn:oasis:names:tc:SAML:1.0:profiles:artifact-01
>   * urn:oasis:names:tc:SAML:1.0:profiles:browser-post
>   * urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact
>   * urn:oasis:names:tc:SAML:2.0:bindings:PAOS
>   * urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
>   * urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign
> As I understand it this implies that the SAML 2 artifact binding is
> preferred to SAML 2 POST. Is that normal or have I done something in my
> configuration to cause that?
> I don't see anything unusual in the configuration, but I would not have
> expected artifact to be preferred to POST.
> -- 
> Best regards,
> Robert Lowe
> http://crepuscular.rmlowe.com/

Alex Stuart
Team Leader - Federated Access Management
EDINA, University of Edinburgh

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

More information about the users mailing list