If a SAML IdP has a preconfigured ACS URL (e.g., one that comes from SP metadata), should it ignore the one sent in an AuthNRequest?
Asked
Active
Viewed 987 times
1 Answers
1
The SAML Core spec states that the IdP must use the ACS specified in the AuthnRequest. It also states that the IdP must in some way ensure that the ACS belongs to the SP. For example by relying on message signature or that the ACS is one defined in the metadata.
From the spec
AssertionConsumerServiceURL [Optional] Specifies by value the location to which the message MUST be returned to the requester. The responder MUST ensure by some means that the value specified is in fact associated with the requester. [SAMLMeta] provides one possible mechanism; signing the enclosing message is another.
Stefan Rasmusson
- 5,445
- 3
- 21
- 48
-
Does this mean the IdP should reject an `AuthNRequest` if it is unsigned and the ACS URL is different from the preconfigured one? Conversely, can a verifiably signed `AuthNRequest` use any ACS URL without validation? – Ben May 02 '17 at 14:49
-
I updated the answere with the section about validation. It does not specify how, but the reason is easy to imagine. If you do not know this URL belongs to the SP you risk sending the assertion to someone else than the SP – Stefan Rasmusson May 03 '17 at 12:25
-
the full text also contains text about a signed request: "... The responder MUST ensure by some means that the value specified is in fact associated with the requester. [SAMLMeta] provides one possible mechanism; signing the enclosing `
` message is another. " – Hans Z. May 03 '17 at 13:21 -
Yes as I said in my anwser text, I have updated the awnser will the full text from the spec for claritys sake – Stefan Rasmusson May 04 '17 at 09:36
-
What is the typically expected behavior? – Ben May 07 '17 at 20:03
-
1If AssertionConsumerServiceURL is used in the AuthnRequest use that, if not use the assertion consumer service URL. – Stefan Rasmusson May 08 '17 at 06:41