Does Destination attribute in AuthnRequest have to exactly match SingleSignOnService

Brent Putman putmanb at
Wed Sep 26 18:55:14 EDT 2018

On 9/26/18 6:50 PM, Brent Putman wrote:
> So wrt the OP's original question, the presence/absence of the 443
> port for an https URL will not be significant in the comparison.

Or to actually answer the OP's question more accurately, since the
question is little off-base:  The Destination is not in fact evaled
against the SingleSignonService. It's evaled against the actual endpoint
at which the IdP receives the message, as determined by the servlet
container environment.  As I said in my previous not, that comparison is

The other eval that happens in the IdP is evaling the AuthnRequest's
AssertionConsumerServiceURL against the AssertionConsumerService in the
SP's metadata.  That is not canonicalized and must match exactly. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list