Ordering of ACS endpoints

Robert Lowe robertmlowe at rmlowe.com
Wed Dec 9 07:50:38 EST 2015 

> Your SP is configured to use SAML2 or SAML1 or both depending on the
> settings in your shibboleth2.xml file, usually in the SSO element [1].
> The order of the SAML2 and SAML1 tokens determines the preference of
> which protocol to use.
>

Thanks Alex. I'm not seeing an issue with protocols, the SP is initiating
SAML2 as expected.


>
> The order of the AssertionConsumerService endpoints used in those
> protocols is determined by the ordering of the Binding elements in
> protocols.xml.
>
> I suspect that these files have been edited in your system, as I think
> that the default settings are SAML2 > SAML1 and POST > Artifact.
>

OK, I wasn't previously aware of this file, although I see now that it's
documented here
<https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfigurationChanges#NativeSPConfigurationChanges-%3CSessions%3EHandlerContentRadicallySimplified>
.

However what you're describing doesn't seem to be the case, the relevant
section of that file looks like this:

    <Service id="SSO">
      <Initiator id="SAML2" />
      <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
path="/SAML2/POST" />
      <Binding
id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
path="/SAML2/POST-SimpleSign" />
      <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
path="/SAML2/Artifact" />
      <Binding id="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
path="/SAML2/ECP" />
    </Service>

That's not the ordering I'm seeing in the generated metadata.


>
> You may also find that your config files use SessionInitiators [2]
> instead of the SSO element shorthand. In which case, the order of the
> md:AssertionConsumerService endpoints in shibboleth2.xml explicitly
> determines the ordering.
>

It uses SessionInitiators, but it doesn't include explicit
md:AssertionConsumerService elements.

-- 
Best regards,

Robert Lowe
http://crepuscular.rmlowe.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20151209/c145ad5c/attachment.html>

More information about the users mailing list