Configuring external AssertionConsumerService, and documentation for protocols.xml

Nate Klingenstein ndk at
Fri Aug 21 18:52:33 UTC 2020


> What I'm trying to do is have an assertion consumer service that is implemented outside shibboleth. There's a reply URL configured in the Azure IdP that is not shibboleth's default.

Your metadata can say whatever it wants to say.  There's no requirement that Shibboleth be the software that handles every Response to a given entityID.  It's a SAML question, not a Shibboleth question.

That said, there would be security concerns if you shared the private key or enumerated multiple valid private keys for the same entity, so be thoughtful about that.

> Are you telling me what I want to do is impossible? That Shibboleth cannot advertise an ACS URL that it does not handle itself?

Shibboleth shouldn't be hosting production metadata or advertising the ACS URL's of other implementations regardless.  Sessions would have to be shared between the two implementations via some mechanism that's basically some clone of SAML or OAuth.

You just want to add the other ACS and, if you choose keypair(s) to your metadata and host it somewhere permanent.  I like to use the entityID URI itself.

Take care,

More information about the users mailing list