entityID questions

Peter Schober peter.schober at univie.ac.at
Thu May 28 20:04:21 UTC 2020

* Lohr, Donald <lohrda at jmu.edu> [2020-05-28 21:46]:
> The vendor is asking why does our production Shibboleth IdP metadata have
> the following Binding:
> <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
> Location="https://itfederation.jmu.edu/shibboleth-idp/SSO"/>

Because you may have supported SAML 1 before.

> Putting that Location url in a browser goes to an error:

You probably never noticed that your SAML1 SSO URL was broken ever
since you updated the software, years ago?
The relative default URL should be /idp/profile/Shibboleth/SSO
so the Location should be

> 3) When I originally configured this SP against our non-production
> Shibboleth IdP, its metadata does not have this url
> <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
> Location=............
> It only has the last three listed above.

I see no question there. The metadata for your non-prod IDP is
different by not including an endpoint with a SAML1 binding.

> 4) The vendor is also about the HTTP-POST and HTTP-Redirect binding,
> stating:
> /For other IdPs we've worked with, those two bindings (HTTP-POST and
> HTTP-Redirect) are the same endpoint but you currently have different
> endpoints for different bindings. We would like to know which endpoint works
> on the current production IdP.//

Both. They should use the endpoint for the protocol binding they
intend to use.


More information about the users mailing list