<!-- Extension service that generates "approximate" metadata based on SP configuration. --> <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. --> <Handler type="Status" Location="/Status" acl="127.0.0.1"/>
session initiation using a web browser and the 'wiki' application (the override) works but a ECP client cannot initiate a session because instead of the SOAP packet returned a 302 redirect is returned (standard browser flow).
Inside of <ApplicationDefaults> with this <Sessions> element configured
<Sessions lifetime="600" timeout="600" checkAddress="false"
handlerURL="/Shibboleth.sso" handlerSSL="true" cookieProps="; path=/; secure"
idpHistory="true" >
<SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Intranet"
relayState="cookie" entityID="https://my.idp.server/idp/shibboleth">
<SessionInitiator type="Cookie" followMultiple="true" />
<SessionInitiator type="SAML2" acsIndex="3" acsByIndex="false" template="bindingTemplate.html" ECP="true"/>
</SessionInitiator>
<LogoutInitiator type="Chaining" Location="/Logout" relayState="cookie">
<LogoutInitiator type="Local">
</LogoutInitiator>
</LogoutInitiator>
<md:AssertionConsumerService Location="/SAML2/POST" index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
<md:AssertionConsumerService Location="/SAML2/POST-SimpleSign" index="2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"/>
<md:AssertionConsumerService Location="/SAML2/Artifact" index="3" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"/>
<md:AssertionConsumerService Location="/SAML2/ECP" index="4" Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
<md:ArtifactResolutionService Location="/Artifact/SOAP" index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"/>
<!-- Extension service that generates "approximate" metadata based on SP configuration. -->
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<!-- Status reporting service. -->
<Handler type="Status" Location="/Status" acl="127.0.0.1"/>
<!-- Session diagnostic service. -->
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
</Sessions>
if the following <ApplicationOverride> is defined
<ApplicationOverride id="wiki">
<Sessions lifetime="86400" timeout="86400" checkAddress="false"
handlerURL="/WIKI_PATH/Shibboleth.sso" handlerSSL="true" cookieProps="; path=/; secure"
idpHistory="true" postData="ss:mem" postTemplate="/etc/shibboleth/wikiPost.html" >
</Sessions>
</ApplicationOverride>
session initiation using a web browser and the 'wiki' application (the override) works but a ECP client cannot initiate a session because instead of the SOAP packet returned a 302 redirect is returned (standard browser flow).
Changing the <ApplicationOverride> to instead be
<ApplicationOverride id="wiki">
<Sessions lifetime="86400" timeout="86400" checkAddress="false"
handlerURL="/WIKI_PATH/Shibboleth.sso" handlerSSL="true" cookieProps="; path=/; secure"
idpHistory="true" postData="ss:mem" postTemplate="/etc/shibboleth/wikiPost.html" >
<md:AssertionConsumerService Location="/SAML2/ECP" index="4" Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"/>
</Sessions>
</ApplicationOverride>
works around the problem and enables the ECP flow to work.
It should not be necessary to repeat any of the endpoint information in
an override.