In the
following AuthRequest, where the
AssertionConsumerServiceURL contains all the query parameters necessary
for my application to identify the
user session: AssertionConsumerServiceURL=https://myserver:8080/ufs/user/framedResponse.jsp?app=ABC&esessionid=ABD08C9312D090FAFDBABCD98D591780
<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
AssertionConsumerServiceURL="https://myserver:8080/ufs/user/framedResponse.jsp?app=ABC&esessionid=ABD08C9312D090FAFDBABCD98D591780 "
AttributeConsumingServiceIndex="42" ForceAuthn="true"
ID="XgprlSg6nkMfSkcnnh-esa" IssueInstant="2009-03-23T14:15:18Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ProviderName="TEST"
Version="2.0"><saml:Issuer>com.test/user/framedresponse</saml:Issuer><samlp:NameIDPolicy
AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/><samlp:RequestedAuthnContext
Comparison="minimum"><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken</saml:AuthnContextClassRef><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>
However,
the decoded SAMLResponse is sent to
/ufs/user/framedResponse.jsp?app=ABC without the necessary esessionid
parameter.
I am trying to argue with the Assertion providers
that this violates the SAML standard, but I have failed to back this up with
appropriate references.
Could you help me argue my point that the
AssertionConsumerServiceURL value should be used as it by the assertion
provider, without modification?
Any help or pointer will be
appreciated
This email is sent on behalf of
Northgate Information Solutions Limited and its associated companies
("Northgate") and is strictly confidential and intended solely for the
addressee(s).
If you are not the intended recipient
of this email you must: (i) not disclose, copy or distribute its contents to any
other person nor use its contents in any way or you may be acting
unlawfully; (ii) contact Northgate immediately on +44 (0)1442 232424
quoting the name of the sender and the addressee then delete it from your
system.
Northgate has taken reasonable
precautions to ensure that no viruses are contained in this email, but does not
accept any responsibility once this email has been transmitted. You should
scan attachments (if any) for viruses.
Northgate Information Solutions
Limited. Registered in England no. 06442582 -
Northgate Information Solutions UK Limited. Registered in
England no. 968498 -
NorthgateArinso UK Limited. Registered in England
no. 1587537 - Moorepay Limited. Registered in
England no. 891686 -
Northgate Land & Property Solutions Limited - Registered
in England no. 2149536
Registered Office: Peoplebuilding 2, Peoplebuilding Estate, Maylands Avenue,
Hemel Hempstead, Hertfordshire HP2 4NW
Northgate Managed Services Limited
(NI). Registered in Northern Ireland no. NI032979
- LearnServe Limited (NI). Registered in Northern Ireland
no. NI043825 Registered
Office: Hillview House, 61 Church Road, Newtownabbey, Co. Antrim, BT36
7LQ