Problem with recognizing the assertion consumer

[Bartosz_Leper@drq.pl]

Hello.

I suspect that I'm posting my mail to
the wrong mailing list, but I don't know which could be more relevant.

I've got a question concerning SAML
1.1. My situation is simple: I've got a single SAML Authority (Identity
Provider) and multiple Assertion Consumers (Service Providers). I use the
Browser/POST binding for exchange SAML messages. The dataflow is pretty
standard:

1. Service Provider sends an AuthenticationQuery
to the Identity Provider through the user's browser
2. Identity Provider responds with an
assertion through the user's browser.

The specifications I've read (and I've
read pretty much stuff) all claim that the assertion consumer's service
URL should be known by the SAML Authority. OK, I agree with that - we have
all this kind of stuff configured. But here's the tricky part: we have
MULTIPLE assertion consumers. What is the standard way of distinguishing
between them?

In other words: the Identity Provider
receives a SAML request. It authenticates the user and then sends the response
back... but where? How does it know WHICH Service Provider is the origin
of the request?

I've been digging for two days and I
don't know how to solve it. We've tried putting it into the NameQualifier,
but since we've nothing to put into NameIdentifier (the user's identity
is not known when the request is being sent), we can't use it (we used
it, putting a weird "dummy" identifier, but our client said he
wants it to be more standards-compiliant). Note that I've tried to search
in the mailing lists' archives, but the search engine is broken (it denies
the access to me).

Thanks in advance for ANY help.

Bartosz Leper, DRQ S.A.
Bartosz_Leper@drq.pl
+48607503665