Reputation: 385
SAML 2.0: How to configure Assertion Consumer Service URL
I am implementing a SAML 2.0 Service Provider which uses Okta as the Identity Provider. I would like to configure the Assertion Consumer Service (ACS) URL so that the SAML 2.0 from my Service Provider app is reflected back in the assertion.
However, I am noticing that the Okta Identity Provider instead sends the SSO Endpoint configured in the Okta configuration and ignores the ACS that was actually sent. Also, I get an error perhaps the ACS from SP doesn't match the meta-data there.
If ACS URL is not the right way to send a short ID to IDP for it to reflect back in the assertion, what other mechanism can be used for this purpose.
Example:
The SAML 2.0 SAMLRequest sent by the SP app is:
assertion_consumer_service_url: https: //host.com:port/saml/consume? entityId=N&myName=username
The configuration on Identity Provider has the meta-data:
Single Sign-on URL: https: //host.com:port/saml/consume?entityId=N
Note that the myName changes from one request to the next, as it is our way of verifying that the response has name_id which matches the original username being sent.
Also, if there is a way for the Service Provider to let the Identity Provider assert that an SP-managed name (such as username), that would be fine for our needs. How does one specify this?
Thanks
Upvotes: 22
Views: 99410
Answers (2)
Reputation: 198
As Anders Abel pointed out, the ACS is assumed to be static. However, in a development environment, it may be that a more dynamic response to different test systems is necessary.
This is my saml20-sp-remote.php that I use to respond to every SP that asks for a SSO authentication, utilizing the attribute AssertionConsumerService of its requests.
I guess this is not safe for production.
simplesamlphp/metadata/saml20-sp-remote.php:
<?php
/**
* SAML 2.0 remote SP metadata for SimpleSAMLphp.
*
* See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote
*/
$acs = \SAML2\Binding::getCurrentBinding()->receive()->getAssertionConsumerServiceURL();
if (!$acs) $acs = 'some_fallback_url';
$metadata['idp_identifier'] = array(
'AssertionConsumerService' => $acs,
'simplesaml.nameidattribute' => 'uid'
);
Upvotes: 2
Reputation: 69250
In SAML, the ACS is assumed to be static for a SP. To correlate the Response with the originating AuthnRequest you should save the ID of the outgoing AuthnRequest and then use the InResponseTo of the received response.
The SP can add a subject to the AuthnRequest, telling the IdP what username you want to have authenticated. It's defined in section 3.4.1 in the SAML2 Core spec.
Upvotes: 14
Related Questions
- Create SAML Assertion and Sign the response
- How to configure Spring SAML to send "assertionConsumerServiceIndex" instead of "assertionConsumerServiceUrl"?
- SAML consumer URL
- SAML2 SSO Assertion Consumer
- How to correctly configure SAML 2.0 SP
- SAML 2.0 - Multiple AssertionConsumerService in SP
- Generate SAML 1.1 (and possibly 2.0) assertions
- How to validated Assertion for SAML 2.0 Bearer at SalesForce.com
- invalid Assertion for SAML 2.0 Bearer Assertion for SalesForce.com
- SAML 2.0 assertion response URL for Ping Federate 6.1 service provider