Does Destination attribute in AuthnRequest have to exactly match SingleSignOnService

Brent Putman putmanb at
Wed Sep 26 18:50:12 EDT 2018

On 9/26/18 11:18 AM, Cantor, Scott wrote:
>> Note the extra ":443" in the Destination attribute. Does that extra ":443" make
>> any difference to the Shibboleth IdP?
> Yes, we are not obligated to, and do not do, any URL canonicalizaton to compare values.

Actually, we do perform canonicalization in the evaluation of inbound
protocol Destination URLs.  As Scott says we don't do that with usual
endpoint validation (say of AuthnRequest AssertionConsumerServiceURL
against metadata).  In that case the SP is nominally in control of both
values, represented as literal strings (determined by the SP itself) in
the request and in metadata, and we treat it as the SP's responsibility
to use a consistent value.

However we do do c14n for Destination eval.  It's because there is no
reliable behavior for what the HttpServletRequest returns as the request
URL (Tomcat vs Jetty vs etc).  It may or may not include the default
port for the scheme, for example.  The SP can't possibly know what exact
representation the IdP is going to see as the delivered endpoint URL. 
So we compare the canonicalized forms of both to ensure interop.

For the record, that c14n is (from java-support SimpleURLCanonicalizer):

* <ul>
 *   <li>The scheme is lower-cased.</li>
 *   <li>The hostname is lower-cased</li>
 *   <li>The port is removed if it is the default port registered for
the scheme</li>
 * </ul>

So wrt the OP's original question, the presence/absence of the 443 port
for an https URL will not be significant in the comparison.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list