The metadata generated by Keystone IdP includes a binding of type URI. From https://github.com/openstack/keystone/blame/8bb63620b4d9ec71b0a60ed705938103d7d3c2c2/keystone/contrib/federation/idp.py#L490:
def single_sign_on_service():
idp_sso_endpoint = CONF.saml.idp_sso_endpoint
return md.SingleSignOnService(
binding=saml2.BINDING_URI,
location=idp_sso_endpoint)
Looking at the Shibboleth SessionInitiator code, this is not a valid binding for a default websso configuration. The accepted bindings are defined at https://github.com/craigpg/shibboleth-sp2/blob/f62a7996e195a9c026f3f8cb0e9086594b7f8515/shibsp/handler/impl/SAML2SessionInitiator.cpp#L164-L165:
// No override, so we'll install a default binding precedence.
string prec = string(samlconstants::SAML20_BINDING_HTTP_REDIRECT) + ' ' + samlconstants::SAML20_BINDING_HTTP_POST + ' ' +
samlconstants::SAML20_BINDING_HTTP_POST_SIMPLESIGN + ' ' + samlconstants::SAML20_BINDING_HTTP_ARTIFACT;
Since we don't suppor K2K with websso workflow it's not a bug, but definitely worth having it here so we can track this.