search cancel

IDP-initiated SAML and AssertionConsumerServiceIndex Parameter

book

Article ID: 203094

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Federation (SiteMinder) SITEMINDER

Issue/Introduction

Customer's application supports only IDP-initiated SAML, but needs to support multiple Assertion Consumer Service URLs (ACS URLs).  Customer has added the  AssertionConsumerServiceIndex parameter to the IDP-initiated request query string, but Siteminder seems to be ignoring it.  How can we achieve this use case?

Environment

Release : 12.8.03

Component : SITEMINDER FEDERATION SECURITY SERVICES

Cause

Siteminder does not support the AssertionConsumerServiceIndex queery string parameter in IDP-initiated SAML requests.  A custom solution is needed.

Resolution

Use SP-initiated SAML when multiple ACS URLs need to be supported. If switching to SP-initiated SAML is not possible, it may be possible to use an active page to mimic the SP and generate an authnrequest with the needed AssertionConsumerServiceIndex parameter/value, but this is a custom solution outside the scope of Support.

Additional Information

Sample authnrequests can be found here:
https://www.samltool.com/generic_sso_req.php

As you can see, the only dynamic data in the authnrequest is the date/time information.  The resulting SP-initiated URL (assuming REDIRECT binding) will take this format:
https://idp.example.com/affwebservices/public/saml2sso?SAMLRequest=XXXXXXXXXXXXXXXX&AssertionConsumerServiceIndex=Y