"AssertionConsumerServiceURL vaue must match the one specified in partner meta data"
In my Legacy Federation, I've defined the SP Assertion Consumer Service URL as : https://sp.yourdomain.com/samlconsumer
How can I fix this problem?
Cause
The problem you face is that you are referring to the AssertionConsumerServiceURL value from the Federation AuthnRequest. But this functionality doesn't exist for Legacy Federation model. You have to use the Partnership configuration to be able to use it :
Asserting Party Not Accepting ACS URL in an Authentication Request (170971) Symptom:
CA Single Sign-On Federation was not accepting and processing the Assertion Consumer Service URL in the incoming authentication request. The system did not verify whether the authentication request had an Assertion Consumer Service URL defined.
Solution:
For an IdP-to-SP partnership, the Administrative UI has a new check box labeled Accept ACS URL in the Authnrequest. This check box is in the SSO section of the SSO and SLO step of the partnership configuration. To confirm that the URL is present and valid in the authentication request, and it is in the metadata, select this option.
Configure your Federation as a Partnership instead of a Legacy one, and set the IdP to use the AssertionConsumerServiceURL from the SAML AuthnRequest by checking "Accept ACS URL in the Authnrequest" configuration setting in your Partnership, putting the expected value of AssertionConsumerServiceURL in the list for ACS.