Ordering of ACS endpoints

Robert Lowe robertmlowe at rmlowe.com
Wed Dec 9 07:50:38 EST 2015

> Your SP is configured to use SAML2 or SAML1 or both depending on the
> settings in your shibboleth2.xml file, usually in the SSO element [1].
> The order of the SAML2 and SAML1 tokens determines the preference of
> which protocol to use.

Thanks Alex. I'm not seeing an issue with protocols, the SP is initiating
SAML2 as expected.

> The order of the AssertionConsumerService endpoints used in those
> protocols is determined by the ordering of the Binding elements in
> protocols.xml.
> I suspect that these files have been edited in your system, as I think
> that the default settings are SAML2 > SAML1 and POST > Artifact.

OK, I wasn't previously aware of this file, although I see now that it's
documented here

However what you're describing doesn't seem to be the case, the relevant
section of that file looks like this:

    <Service id="SSO">
      <Initiator id="SAML2" />
      <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
path="/SAML2/POST" />
path="/SAML2/POST-SimpleSign" />
      <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
path="/SAML2/Artifact" />
      <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
path="/SAML2/ECP" />

That's not the ordering I'm seeing in the generated metadata.

> You may also find that your config files use SessionInitiators [2]
> instead of the SSO element shorthand. In which case, the order of the
> md:AssertionConsumerService endpoints in shibboleth2.xml explicitly
> determines the ordering.

It uses SessionInitiators, but it doesn't include explicit
md:AssertionConsumerService elements.

Best regards,

Robert Lowe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20151209/c145ad5c/attachment.html>

More information about the users mailing list