IdP metadata with no SingleSignOnService

Peter Schober peter.schober at
Tue Feb 27 12:15:34 EST 2018

* Robert Lowe <robertmlowe at> [2018-02-27 17:25]:
> Using Shibboleth SP and working with an IdP that wants to use
> IdP-initiated SSO. They provided us with metadata but it contains no
> SingleSignOnService elements.

In a way that's only consequent (when they don't support recieving
authentication requests), though it's not schema-valid.

> Is this valid metadata?

No. An IDPSSODescriptor requires at least one SingleSignOnService element.

> We're seeing a “Unable to locate metadata for identity provider”
> when trying to sign in. It looks to me like the SP is ignoring the
> metadata. Is it necessary to add a “dummy” SingleSignOnService to
> make IdP-initiated SSO work?

Likely. But not to make "IdP-initiated SSO work" (the SP suppoprts
that ouf of the box without any extra set up), only to work around the
invalid metadata provided by this IDP.


More information about the users mailing list