SAML 1.1 POST - Is it possible to have a different Recipient than the actual endpoint?

book

Article ID: 48881

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Description:

If you have a service provider that want the SAML to contain

Recipient="urn: xxx-saml:xxx.YYYYYY_xxx.9680".

This value is set by Siteminder to the actual endpoint for the service: Recipient="https://xxxx/xxxxx/xxx"
Is it possible to have a different Recipient than the actual endpoint?

Solution:

Per Oasis SAML 1.1 specification The SAML response MUST include the Recipient attribute [SAMLCore] with its value set to https://<assertion consumer host name and path>.
Reference (line 770)

http://www.oasis-open.org/committees/download.php/3405/oasis-sstc-saml-bindings-1.1.pdf

Moreover, Assertion can be customized using the custom plug-in but the standard out-of-the-box assertion would not have a direct configuration to do that.

Environment

Release:
Component: SMFSS