Options for the SP-side of the SAML authenticator in IdPv4?

Jeremy A Scott jeremy.scott at wisc.edu
Wed Aug 5 15:12:25 UTC 2020

Hello All!

We recently deployed a new version of our Proxy IdP that uses SAML as the authentication mechanism to Proxied IdPs within our organization.
This uses the native features of IdPv4 and is a much cleaner solution than our SP-infront-of-an-IdP and External Auth pattern that we had before.

One thing continues to be a mystery though, and that is how do we configure things that influence the SP side’s outbound AuthnRequest?
With the previous incarnation, we would just edit shibboleth2.xml in the SP side as we’re all experts on that.
However with this now being built into the IdP, such SP options and where to control them are not so obvious

So the genesis of this question is that one of our Proxied IdP partners noticed a change in the AuthnRequest from the new v4 Proxy IdP that unfortunately caused an outage for them.
The attribute ‘ProtocolBinding’ is missing, and apparently their IdP needs this to function in order to select the proper ACS endpoint. Even though the proper SAML assertion
Consumption endpoint is in the AuthnRequest, such was ignored by their IdP because the ProtocolBinding attribute wasn’t also there.

To be fair, their IdP is not Shibboleth, it’s something custom with endpoints that end in aspx, and it’s probably not quite right – ignoring things in the AuthnRequest, but there isn’t anything we can do about that.
We confirmed that this attribute was present in the previous incarnation, and now we have a request from that IdP operator to have it be sent with the new IdPv4 AuthnRequest.

Is there a way we can do this and make the new outbound AuthnRequest behave the same as it did before by including the ProtocolBinding attribute?
Or, is there some other solid argument we can make for not doing this and replying to that IdP operator that their software is not following the standard?


Jeremy Scott
Identity and Access Management
Application Integration Services
Division of Information Technology
University of Wisconsin-Madison
jeremy.scott at wisc.edu

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200805/a76813ab/attachment.htm>

More information about the users mailing list