OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] Question about AuthnRequest and ACS URL

For security reasons, the IdP is normally obligated to deliver an assertion to the AssertionConsumerServiceURL that exist in the metadata that the IdP has about the SP via some other means than the AuthnRequest.   This is to prevent a malicious site from requesting assertions from the idP that it can then use to access the user’s account at the real SP.


This field allows the SP to override, or specify inline rather than relying on metadata, the location to deliver assertions.    The IdP has to be very cautious about accepting and processing such requests because of the attack possibilities mentioned above and must take steps to ensure that this is what the SP actually is requesting.   Some ways of ensuring that include:


·         Ensuring that the specified URL matches one of the registered AssertionConsumerServiceURL s that the IdP has for that SP (gotten through other safe/validated means).

·         Ensuring that the overall request (including the AssertionConsumerServiceURL) is correctly signed by the SP, thus validating that it is coming, unmodified from the SP itself.


The point here being that you need to make sure that someone else hasn’t stuck that value into the request.    Some IdPs may choose to not support this feature and instead require that the SP has registered their metadata in advance (or has implemented the one of the metadata publication models described in the SAML metatadata spec).


So, assuming you have accepted and validated the AssertionConsumerServiceURL within the request, the IdP should then ensure that the delivery of the response message to the AuthNRequest is directed to that AssertionConsumerServiceURL.


If you have not accepted the AssertionConsumerServiceURL because it is invalid or untrustworthy, the assumption would be that the request is malicious and therefore I would reject the request and possibly generate a warning to the user.





From: Yaowen Tu [mailto:yaowen.tu@gmail.com]
Sent: Thursday, March 14, 2013 12:51 AM
To: saml-dev@lists.oasis-open.org
Subject: [saml-dev] Question about AuthnRequest and ACS URL




I have a general question about AuthnRequest. In the request there is a field called AssertionConsumerServiceURL. I am just wondering what is this URL used for?


1. What is IdP supposed to do when it decrypt the request and find this value? Should IdP compare the value with the one in the sp metadata file? Or what?

2. On IdP side, should IdP redirect to the ACS URL in the AuthnRequest, or the ACS URL in the metadata file of this SP?

3. If the ACS URL in the request is different from the one in the metadata file, should IdP return error?


Or maybe this behavior is not defined in SAML? It depends on individual IdP's implementation? So the best an SP to do is to send the same ACS URL in the AuthnRequest as in the metadata file?





[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]