2

we are using PingFederate for SSO and is SP initiated. and Ping Federate will act like Idp. For application there are 2 webservers(for high availability

My questions is 1. can we provide two urls as default(In console as only one url can be set as default. in this case can we provide two comma seperated urls).

  1. can load balancer url is provided for ACS url.

Thank you!

user6639305
  • 29
  • 1
  • 4

2 Answers2

2

I think you want to publish the assertion consumer service URLs in SP metadata, as it is specific to the service provider.

You can have unique or same ACS endpoint for specific binding the SP supports and the endpoint has to understand response wrt to binding from IdP. Also ACS endpoints can be indexed and any one can be set as default in the metadata. Example:

 <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sts.contoso.com/adfs/ls/" index="0" isDefault="true" />
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://sts.contoso.com/adfs/ls/" index="1" /> 
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sts.contoso.com/adfs/ls/" index="2" />

As long as IdP can reach the SP server from outside world, you could use load balancer URL.

Zeigeist
  • 3,755
  • 3
  • 20
  • 22
1

As you have noted in the PingFederate Admin Console, you can specify multiple ACS URLs, however only one is a default URL. Each ACS URL is assigned an index number.

Using IdP-Initiated SSO, the default ACS URL will be used to send the SAML assertion if an ACSIdx query parameter is not supplied. This query parameter specifies which ACS URL is to be used. When the parameter is used, it will send the SAML assertion to the ACS URL associated to the index as shown in the PingFederate Admin Console.

Using SP-Initiated SSO, the ACS URL can be dynamic if the service provider application sends a signed AuthnRequest. Per the SAML specification SP-Initiated SSO can send a ACS URL that will be used by the Identity Provider (in this case the PingFederate IdP) to transmit the SAML assertion. Thus, the requesting server specifies how to return to itself granted the AuthnRequest is signed and trusted by the PingFederate IdP Server.

Eric U.
  • 356
  • 1
  • 3
  • Thanks for your answer! Explain how thinks work. I have a question that in IdP Initiated SSO, " the default ACS URL will be used to send the SAML assertion if an ACSIdx query parameter is not supplied", I'm wondering when the query parameter is supplied? – truongnm Jan 28 '20 at 04:05
  • I think in the case of IdP Initiated SSO, it's alway use the default ACS URL – truongnm Jan 28 '20 at 04:05