Does Destination attribute in AuthnRequest have to exactly match SingleSignOnService
shibboleth655 at lewenberg.com
shibboleth655 at lewenberg.com
Wed Sep 26 11:15:24 EDT 2018
When a service provider submits an AuthnRequest to the Shibboleth IdP
with a Redirect, and the AuthnRequest includes the Destination
attribute, does the value of the Destination attribute have to be an
_exact_ match for one of the SingleSignOnService values that the IdP
expects?
For example, this appears in our IdP metadata:
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://login.stanford.edu/idp/profile/SAML2/Redirect/SSO"/>
However, a service provider is sending an AuthnRequest with this:
<samlp:AuthnRequest
...
Destination="https://login.stanford.edu:443/idp/profile/SAML2/Redirect/SSO"
...
>
Note the extra ":443" in the Destination attribute. Does that extra
":443" make any difference to the Shibboleth IdP?
More information about the users
mailing list