IdP metadata with no SingleSignOnService
Peter Schober
peter.schober at univie.ac.at
Tue Feb 27 12:15:34 EST 2018
* Robert Lowe <robertmlowe at rmlowe.com> [2018-02-27 17:25]:
> Using Shibboleth SP and working with an IdP that wants to use
> IdP-initiated SSO. They provided us with metadata but it contains no
> SingleSignOnService elements.
In a way that's only consequent (when they don't support recieving
authentication requests), though it's not schema-valid.
> Is this valid metadata?
No. An IDPSSODescriptor requires at least one SingleSignOnService element.
> We're seeing a “Unable to locate metadata for identity provider”
> when trying to sign in. It looks to me like the SP is ignoring the
> metadata. Is it necessary to add a “dummy” SingleSignOnService to
> make IdP-initiated SSO work?
Likely. But not to make "IdP-initiated SSO work" (the SP suppoprts
that ouf of the box without any extra set up), only to work around the
invalid metadata provided by this IDP.
-peter
More information about the users
mailing list