SAML 2.0: How to configure Assertion Consumer Service URL
Solution 1
In SAML, the ACS is assumed to be static for a SP. To correlate the Response with the originating AuthnRequest you should save the ID of the outgoing AuthnRequest and then use the InResponseTo of the received response.
The SP can add a subject to the AuthnRequest, telling the IdP what username you want to have authenticated. It's defined in section 3.4.1 in the SAML2 Core spec.
Solution 2
As Anders Abel pointed out, the ACS is assumed to be static. However, in a development environment, it may be that a more dynamic response to different test systems is necessary.
This is my saml20-sp-remote.php that I use to respond to every SP that asks for a SSO authentication, utilizing the attribute AssertionConsumerService of its requests.
I guess this is not safe for production.
simplesamlphp/metadata/saml20-sp-remote.php:
<?php
/**
* SAML 2.0 remote SP metadata for SimpleSAMLphp.
*
* See: https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote
*/
$acs = \SAML2\Binding::getCurrentBinding()->receive()->getAssertionConsumerServiceURL();
if (!$acs) $acs = 'some_fallback_url';
$metadata['idp_identifier'] = array(
'AssertionConsumerService' => $acs,
'simplesaml.nameidattribute' => 'uid'
);
Related videos on Youtube
09 : 18
18 : 49
15 : 35
18 : 51
27 : 47
26 : 41
33 : 58
15 : 00
Venkat Rangan
Updated on January 22, 2020Comments
-
Venkat Rangan over 4 years
I am implementing a SAML 2.0 Service Provider which uses Okta as the Identity Provider. I would like to configure the Assertion Consumer Service (ACS) URL so that the SAML 2.0 from my Service Provider app is reflected back in the assertion.
However, I am noticing that the Okta Identity Provider instead sends the SSO Endpoint configured in the Okta configuration and ignores the ACS that was actually sent. Also, I get an error perhaps the ACS from SP doesn't match the meta-data there.
If ACS URL is not the right way to send a short ID to IDP for it to reflect back in the assertion, what other mechanism can be used for this purpose.
Example:
The SAML 2.0 SAMLRequest sent by the SP app is:
assertion_consumer_service_url: https: //host.com:port/saml/consume? entityId=N&myName=username
The configuration on Identity Provider has the meta-data:
Single Sign-on URL: https: //host.com:port/saml/consume?entityId=N
Note that the myName changes from one request to the next, as it is our way of verifying that the response has name_id which matches the original username being sent.
Also, if there is a way for the Service Provider to let the Identity Provider assert that an SP-managed name (such as username), that would be fine for our needs. How does one specify this?
Thanks
-
Anders Abel about 10 yearsPlease don't post several questions at once, it's better to post each issue as a separate question.
-
