entityID questions
Peter Schober
peter.schober at univie.ac.at
Thu May 28 20:04:21 UTC 2020
* Lohr, Donald <lohrda at jmu.edu> [2020-05-28 21:46]:
> The vendor is asking why does our production Shibboleth IdP metadata have
> the following Binding:
>
> <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
> Location="https://itfederation.jmu.edu/shibboleth-idp/SSO"/>
Because you may have supported SAML 1 before.
> Putting that Location url in a browser goes to an error:
You probably never noticed that your SAML1 SSO URL was broken ever
since you updated the software, years ago?
The relative default URL should be /idp/profile/Shibboleth/SSO
so the Location should be
"https://itfederation.jmu.edu/idp/profile/Shibboleth/SSO".
> 3) When I originally configured this SP against our non-production
> Shibboleth IdP, its metadata does not have this url
>
> <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest"
> Location=............
>
> It only has the last three listed above.
I see no question there. The metadata for your non-prod IDP is
different by not including an endpoint with a SAML1 binding.
> 4) The vendor is also about the HTTP-POST and HTTP-Redirect binding,
> stating:
>
> /For other IdPs we've worked with, those two bindings (HTTP-POST and
> HTTP-Redirect) are the same endpoint but you currently have different
> endpoints for different bindings. We would like to know which endpoint works
> on the current production IdP.//
Both. They should use the endpoint for the protocol binding they
intend to use.
-peter
More information about the users
mailing list