SAML2 Support Listed In Metadata

Paul Caskey pcaskey at
Thu May 19 16:06:52 EDT 2016

Hi Jeff-

In, the ldap URL can be a space - delimited list with multiple servers.

RE: Artifact, just don't include those endpoints in your metadata.

Hope that answers your questions...

-----Original Message-----
From: Reynolds, Jeffrey [JReynolds at]
Received: Thursday, 19 May 2016, 14:59
To: Shib Users [users at]
Subject: SAML2 Support Listed In Metadata

Hi everybody,

I've got two questions, one of which I probably already know the answer to (though having confirmation would be helpful).

Our institution is in the process of upgrading from IdP v2 to v3, and I had a question about configuring multiple LDAP data connectors.  I've seen that one difference between v2 and v3 is that there is an file which appears to expose more of the advanced LDAP options.  But this setup seems to only allow for a single LDAP data connector (note I'm trying to connect to two different directories, not multiple nodes of a single directory).  I'm assuming that I can define DataConnector elements in v3 like I could in V2 (ignoring the ldap.properites file if I specify those values directly in the attribute-resolver), but is this the intended way to do this, or is there another option to either define multiple servers in a single properties file, or have multiple files?

Second, and I think I know the answer to this but I have to ask, if we declare that we support "urn:oasis:names:tc:SAML:2.0:protocol" in our metadata file does this mean we also have to support artifact resolution?  We currently don't have any service providers that utilize artifact resolution, and we would like to officially drop support of it, at least until we get a chance to but some more planning into our load balancing architecture.  Of course, one of the objectives of this upgrade is to clean up our deployment, so if it's a requirement we'll definitely work it in.

Thanks for any guidance on these issues.  Though I'm not as knowledgeable in Shibboleth and SAML as I'd like to be, I'm looking forward to this upgrade as an opportunity to become more compliant with the standards and have a better working setup.

Much obliged,

Jeff Reynolds
Senior Information Security Analyst
972-883-6828 | jreynolds at<mailto:jreynolds at>
Information Security Office<>
The University of Texas at Dallas<>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list