1

Noticed that the Saml2AuthnResponse Destionation is set based on the relyingParty.SingleSignOnDestination which is retrieved from a "configuration" (harcoded relyingParties array).

I think the Destination should be based on what is set in the AuthnRequest samlp:AuthnRequest -> AssertionConsumerServiceURL and use the relyingParty Destination maybe as a fallback if its missing from the AuthnRequest, but from what I see every AuthnRequest contains the ACS URL.

Or is there a reason why it is implemented this way ?

Thanks

lorandd
  • 164
  • 3
  • 10

1 Answers1

1

It is part of the security only to replay known URLs/domains. Therefore it is important to configure the relyingParty.SingleSignOnDestination for each relying party.

To have a dynamic response URL you can extend the code to verify that the authnRequest.AssertionConsumerServiceUrl starts with the value in relyingParty.SingleSignOnDestination.

E.g. the value in relyingParty.SingleSignOnDestination could be "https://somedomain.com" and thereby accept different authnRequest.AssertionConsumerServiceUrl like "https://somedomain.com/auth/AssertionConsumerService" or "https://somedomain.com/acs"

Anders Revsgaard
  • 3,636
  • 1
  • 9
  • 25