Using PingFederate, SAMLResponse is not sent to ACS URL appearing in SAMLRequest9authnResquest)

Question

I am using PingFederate for SSO. My application is acting as SP and I am trying SP initiated SSO. I am sending SAMLRequest to PingFederate, which is signed. But it is not sending SAMLresponse to ACS URL mentioned in the SAMLRequest9authnRequest).

Can you help me with settings, so that the default assertion Consumer URL is not picked up but the one sent in SAMLRequest is used?

Answer 1

PingFederate will automatically maintain RelayState (as the IDP) and return it with the Assertion (per the Spec) if you are sending it correctly with the AuthnRequest. There is nothing you need to do within PF to make this happen.

I would ensure you are sending it correctly and that PF is logging the value it receives from you.

Answer 2

[Updated}

So you are the SP and PF is the IDP? PF needs to have your Assertion Consumer Service URL listed in the local meta-data (PF can hold several ACS URLs for a single SP) and I believe you need to specify the ACSIndex (as configured in PF) or ACSURL value.

The SAMl 2.0 Core document outlines how to include AssertionConsumerServiceIndex or AssertionConsumerServiceURL in your AuthnRequest.

--Ian

---

Can you provide more details?

It sounds like you are using PF as the IDP and SP? If you want to PF (IDP) to use an ACS URL other than the default with SP-Init SSO you need to specify the ACSIndex of the ACS URL in the AuthnRequest. PF (SP) can specify a specific ACSIndex to include in the AuthnRequest by appending it to the startSSO.ping Application Endpoint.

If the ACSIndex is not listed in the PF (IDP) configuration the SP must sign the AuthnRequest (per the spec) and specify the ACSIndex to use instead.

Let me know if that makes sense or you need more info on how to do this.

--Ian