IDP defaulting to different AssertionConsumerServiceURL

book

Article ID: 4546

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

  There are 2 ways to specify endpoint acting as the Assertion Consumer Service in the Query Parameters for the AuthnRequest Server at the SP side.
  You can use an index, or specify it explicitly. To illustrate :

  1. AssertionConsumerServiceIndex=1

  or

  2. AssertionConsumerServiceURL=http://spid-test.com/path1/example.sso/SAML2/POST

  In our setting, we've set the second, AssertionConsumerServiceURL.

  We have our SP sending AuthnRequest with AssertionConsumerServiceURL: http://spid-test.com/path1/example.sso/SAML2/POST

  However, we observe the IDP defaulting to different url: http://spid-test.com/path0/example.sso/SAML2/POST. How can we force
  the explicitly use of the value from AssertionConsumerServiceURL ?

Cause

You'll have to enable the flag "Accept Only Registered Remote ACS URL in Authnrequest" in the Local IDP>Remote SP partnership
in order to get the AssertionConsumerServiceURL to take preceedence on the others configured on the IDP side.

Environment

Secure Cloud version: 1.55

Resolution

You will have to enable the flag "Accept Only Registered Remote ACS URL in Authnrequest" in the Local IDP>Remote SP partnership.