IDP defaulting to different AssertionConsumerServiceURL
search cancel

IDP defaulting to different AssertionConsumerServiceURL

book

Article ID: 4546

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

  There are 2 ways to specify endpoint acting as the Assertion Consumer Service in the Query Parameters for the AuthnRequest Server at the SP side.
  You can use an index, or specify it explicitly. To illustrate :

  1. AssertionConsumerServiceIndex=1

  or

  2. AssertionConsumerServiceURL=https://_host.example.com/path1/example.sso/SAML2/POST

  In our setting, we've set the second, AssertionConsumerServiceURL.

  We have our SP sending AuthnRequest with AssertionConsumerServiceURL: https://_host.example.com/path1/example.sso/SAML2/POST

  However, we observe the IDP defaulting to different url: https://_host.example.com/path0/example.sso/SAML2/POST. How can we force
  the explicitly use of the value from AssertionConsumerServiceURL ?

Environment

Secure Cloud version: 1.55

Cause

You'll have to enable the flag "Accept Only Registered Remote ACS URL in Authnrequest" in the Local IDP>Remote SP partnership
in order to get the AssertionConsumerServiceURL to take preceedence on the others configured on the IDP side.

Resolution

You will have to enable the flag "Accept Only Registered Remote ACS URL in Authnrequest" in the Local IDP>Remote SP partnership.

 

Powered by Wolken Software