Does Destination attribute in AuthnRequest have to exactly match SingleSignOnService

shibboleth655 at shibboleth655 at
Wed Sep 26 11:15:24 EDT 2018

When a service provider submits an AuthnRequest to the Shibboleth IdP 
with a Redirect, and the AuthnRequest includes the Destination 
attribute, does the value of the Destination attribute have to be an 
_exact_ match for one of the SingleSignOnService values that the IdP 

For example, this appears in our IdP metadata:


However, a service provider is sending an AuthnRequest with this:



Note the extra ":443" in the Destination attribute. Does that extra 
":443" make any difference to the Shibboleth IdP?

More information about the users mailing list