Difference between AssertionConsumerServiceURL , Destination , Consent in <saml:AuthnRequest>

java saml-2.0 opensaml

18,512

Solution 1

Destination (defined in saml 2 core lines 1477-1482)

Destination is URL of the endpoint you are sending the message to. Typically SAML peers have different endpoints for different bindings and the value is used at IDP to verify that the received message was actually intended for the place where it was received. It helps mitigate certain attack scenarios.

Consent (defined in saml 2 core lines 1483-1488)

Value is just an advice to IDP telling about the way sender received permission from the principal (typically user) to issue this SAML message on her behalf. It's optional and typically unused.

AssertionConsumerServiceURL (defined in saml 2 core lines 2061-2067)

Identifies URL at your side, where peer IDP must send the response to. When you use this attribute you should also specify ProtocolBinding. The value is mutually exclusive with assertionConsumerServiceIndex, so you shouldn't use both at the same time.

Solution 2

The SAML specification defines three roles: the principal (typically a user), the Identity provider (IdP), and the service provider (SP). wiki

The service provider requests (SAML Request) and obtains an identity assertion from the identity provider (SAML Response)

So AssertionConsumerServiceURL is at the Service Provider (SP) side. At this URL the Identity provider (IdP) will send the SAML Response containing the assertions and the Service provider (SP) should have the facilities to read it.

According to my understanding the binding represents the way the SAML XML protocol messages will be transported (onto standard messaging formats) between SP and IdP. There are more than 1 way. For example

HTTP POST,
HTTP Redirect
SAML SOAP Binding (based on SOAP 1.1)

and thus the SP might have more than one binding URL address i.e

Assertion Consumer Service POST Binding URL
Assertion Consumer Service Redirect Binding URL

18,512

Author by

mavis

Updated on July 09, 2022

Comments

mavis almost 2 years
I have been trying to generate SAML object using opensaml-java.

Ref:slide #30 in https://www.oasis-open.org/committees/download.php/12958/SAMLV2.0-basics.pdf
```
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                        ForceAuthn="true"
                        AssertionConsumerServiceURL="http://www.example.com/"
                        AttributeConsumingServiceIndex="0" ProviderName="string"
                        ID="abe567de6"
                        Version="2.0"
                        IssueInstant="2005-01-31T12:00:00Z"
                        Destination="http://www.example.com/"
                        Consent="http://www.example.com/" >
```
In this Destination , Consent , AssertionConsumerServiceURL all the three represent the same address. What are they actually representing?

[Q.1]Is there any difference between them? Surely There must be some difference otherwise they wouldnt have all the three things .

OR If there is no difference , what are they representing?

EDIT 1 : AssertionConsumerServiceURL is the landing page of IdP where the assertion response message from IdP is expected.