RE: [security-services] AssertionConsumerServiceIndex vs. AssertionConsumerURL

["Scott Cantor" <cantor.2@osu.edu>]

> If one URL isn't enough, the Provider can put multiple URLs 
> in the metadata and use the AssertionConsumerServiceIndex to 
> point to the appropriate URL.   With a long name like 
> "AssertionConsumerServiceIndex" (rather than something like 
> ACSIdx), I'm not sure how much space you save by using an 
> index than a URL, but that isn't my call.

This one I copied from ID-FF, I probably would have shortened it were I
working from scratch. If desired, we could do this as a normative change
during review since we have some anyway.

> And a final note, if you do include the AssertionConsumerURL, 
> I think the request has to be signed.   With the other 
> methods, it is more easily accepted without a signature.

It doesn't have to be signed, but in either case, you need a way of
verifying that the ASC value is appropriate for the requesting SP. Metadata
being one way, of course.

Of course, any unsigned request can be manipulated entirely by an attacker
if SSL isn't used or if they have sufficient access to the client, etc.

-- Scott