OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Multiple Assertion Consumer Service URL Support

" the IdP MUST be able to map that index to a specific endpoint"
=> What if there is no way to add multiple end points for SP in IdP and IdP supports only 1 end point per SP. Should we consider it as issue with IdP implementation and ask IdP vendor to fix it ?



On Wed, Aug 8, 2018 at 5:13 PM Tom Scavo <trscavo@gmail.com> wrote:
On Wed, Aug 8, 2018 at 2:04 AM Vipul Mehta <vipulmehta.1989@gmail.com> wrote:
>
> If we provide SP metadata file with multiple ACS URLs (<md:AssertionConsumerService> along with index) then some IDPs ignore it and pick up only the first one. In my opinion this is against SAML 2.0 specifications and IDP should consider all the ACS URLs. Please confirm.

If the SP includes a specific AssertionConsumerServiceURL in the
AuthnRequest, the IdP MUST respond to that endpoint (or return an
error). OTOH, if the SP includes an AssertionConsumerServiceIndex in
the AuthnRequest, the IdP MUST be able to map that index to a specific
endpoint but nowhere does it say that the IdP must use metadata for
that (or any other) purpose. See section 3.4 of SAML Core for details.

Tom


--
Regards,
Vipul

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]