Regarding the ECP SSO profile - I’m a bit confused
about the usage of the responseConsumerURL attribute in the PAOS header sent
from SP to ECP and the AssertionConsumerServiceURL attribute in the ECP
response header sent from the IdP to the ECP. I’ve included
the relevant sections (that I could find) of the profiles spec below.
As I understand it, the ECP sends a message to the SP at the
location specified in the responseConsumerURL _only_
in event that there is some error condition. Otherwise the value of the responseConsumerURL
attribute is used only for the ECP to confirm the value of the AssertionConsumerServiceURL
it got from the IdP by comparing the two. And the value of the AssertionConsumerServiceURL
is where the ECP will deliver the SSO response.
Do I have that correct?
Looking at the examples below - the highlighted portions
would lead me to think that in this example the ECP would have to generate a
SOAP fault response and send it to the SP because the values of the two
attributes do not match. There is some wording around the possible need
for processing/normalization of the values before comparison but I can’t
see what reasonable normalization would result in those two values positively corresponding.
Am I missing something here? Was this just an
oversight (and perhaps errata item) or were these values intentionally set that
way in the example?
Thanks for any clarification,
Brian
….
