entityID questions

Peter Schober peter.schober at univie.ac.at
Fri May 29 10:11:24 UTC 2020

* Lohr, Donald <lohrda at jmu.edu> [2020-05-28 23:46]:
> 1) Does a "IdP Initiated" approach or "SP Initiated" approach determine
> whether HTTP-POST or HTTP-Redirect is used by the Service Provider?

In the IDP-initiated case there is no SAML authn request from the SP,
so the question of what protocol binding the SP might use such a
request is moot.
Instead the SP will recieve an unsolicited response from the IDP.

> Or what guidance can I provide the vendor as to which they should
> use?

They should know what protocol binding they use/prefer for their own
outgoing authn requests.

If all else fails: Have them configure either one and see what happens
in your browser using the SAMLtracer extension.
(If the binding used does not match the IDP's SSO URL for that binding
the IDP will also tell you that in an error message in its process log.)

saml2int recommends to use HTTP-Redirect for authn requests (over
using HTTP-POST), IIRC, so maybe tell them to use your HTTP-Redirect
endpoint and if that fails (i.e., the IDP's logs or SAMLtracer showing
they used HTTP-POST with that URL) you tell them to use the other URL.

> 2) Is it worth fixing that SAM1 SSO url, if so how would I do that?

What purpose would it serve to keep publishing an endpoint that 404s
when accessed?

Personally I wouldn't consider ripping out SAML1 from my IDP
completely just because the SSO endpoint I have been publishing for
that is (and has been, for a long time, I'm guessing) wrong.
Fix the endpoint (I already gave you the correct URL) and move on.
Once you do decide to remove SAML1 support remove it completely,
i.e. not only any endpoints but also from the

How you go about changing your own metadata I can't tell you.
You'd fix it everywhere you'd published it: InCommon metadata plus all
bilateral arrangements. Though again I don't see widespread usage of
that metadata with SAML1 when the endpoint is wrong. (And by
definition those using SAML1 with your IDP but not relying on metadata
also won't care about fixed metadata.)


More information about the users mailing list