Reputation: 174
AssertionConsumerServiceURL from AuthnRequest not from Config
Noticed that the Saml2AuthnResponse Destionation is set based on the relyingParty.SingleSignOnDestination which is retrieved from a "configuration" (harcoded relyingParties array).
I think the Destination should be based on what is set in the AuthnRequest samlp:AuthnRequest -> AssertionConsumerServiceURL and use the relyingParty Destination maybe as a fallback if its missing from the AuthnRequest, but from what I see every AuthnRequest contains the ACS URL.
Or is there a reason why it is implemented this way ?
Thanks
Upvotes: 1
Views: 688
Answers (1)
Reputation: 4334
It is part of the security only to replay known URLs/domains. Therefore it is important to configure the relyingParty.SingleSignOnDestination for each relying party.
To have a dynamic response URL you can extend the code to verify that the authnRequest.AssertionConsumerServiceUrl starts with the value in relyingParty.SingleSignOnDestination.
E.g. the value in relyingParty.SingleSignOnDestination could be "https://somedomain.com"
and thereby accept different authnRequest.AssertionConsumerServiceUrl like "https://somedomain.com/auth/AssertionConsumerService" or "https://somedomain.com/acs"
Upvotes: 1
Related Questions
- Is it possible to ignore AuthnContextClassRef?
- itfoxtec-identity-saml2 Validate Token and Refresh token Implementation in .Net core 3.1
- Receiving an HTTP 400 BAD REQUEST from SAML2 Response
- Using AssertionConsumerServiceIndex instead of assertionConsumerServiceUrl with itfoxtec
- ITfoxtec SAML 2.0 and ASP.NET Web Forms (ASPX) HttpRequest
- ITfoxtec.Identity.Saml2 Invalid URI Issue
- User.Identity.IsAuthenticated Always false in SAML 2.0 using ITFoxtec
- Error: 'There is not exactly one Assertion' Using ITfoxtech Saml2
- Null : Object reference during AssertionConsumerService => saml2AuthnResponse.CreateSession
- SAML 2.0: How to configure Assertion Consumer Service URL