Reputation: 2472
Which AssertionConsumerServiceURL should an IdP use?
If a SAML IdP has a preconfigured ACS URL (e.g., one that comes from SP metadata), should it ignore the one sent in an AuthNRequest?
Upvotes: 1
Views: 1063
Answers (1)
Reputation: 5595
The SAML Core spec states that the IdP must use the ACS specified in the AuthnRequest. It also states that the IdP must in some way ensure that the ACS belongs to the SP. For example by relying on message signature or that the ACS is one defined in the metadata.
From the spec
AssertionConsumerServiceURL [Optional] Specifies by value the location to which the message MUST be returned to the requester. The responder MUST ensure by some means that the value specified is in fact associated with the requester. [SAMLMeta] provides one possible mechanism; signing the enclosing message is another.
Upvotes: 1
Related Questions
- Using AssertionConsumerServiceIndex instead of assertionConsumerServiceUrl with itfoxtec
- Is it possible to tie initial SAML request to the SAML Assertion received from the IDP?
- Configuring SP to send assertions to IDP (PingFederate SAML 2.0)
- AssertionConsumerServiceURL from AuthnRequest not from Config
- ASP.Net Core - Turn SAML assertion into ClaimsPrincipal
- SAML 2 (Ping Federate) Should the AssertionConsumerServiceURL be accessible by the IdP?
- SAML 2.0 - Multiple AssertionConsumerService in SP
- Sending a SAML assertion from IDP to SP
- SAML Assertion consumer Service (ACS) - Suggestions on implementation
- Best way send a SAML assertion