How to access the AssertionConsumerServiceURL from the AuthnRequest in a custom MFA flow

Marc Jay marc.jay at
Thu Apr 16 12:23:26 EDT 2020


We have an existing Shibboleth SP and IdP setup with IdP 3.4.6 and an MFA flow that programmatically selects flows depending on the user’s access and whether they should be “SP-initiated” SSO redirected to a user’s company’s IdP for auth. This decision needs the user’s email address and some database calls to determine the answer, and we don’t want to make the user pick from a list of IdPs – this is I believe justification for not using the IdP discovery service functionality in V3 and below.

We are in the process of protecting a new subdomain by Shibboleth, but do not wish to introduce an additional entity ID for this – authentication to one subdomain should cover auth for the other. They are both reverse proxied by the same SP instance.

Everything works when logging in with our IdP, no issues. However, having challenges getting users who log in with third-party IdPs who want to go to the new subdomain, to be redirected to this domain after log in. The existing “SP-initiated” flow works by having the following view state in one of the flows:

    <view-state id="redirect"
        view="externalRedirect:<sp-session-initiator-url>?entityID=<IdP Entity ID of the appropriate IdP for user>">

I believe a solution would be to look at the AssertionConsumerServiceURL of the AuthnRequest to determine which of the subdomains the user was trying to log into, and then append the right URL as a ‘target’ param to that URL above, but I cannot see how the ACS URL can be accessed from any of the available contexts in the flow. I appreciate that with the recently released version 4.0.0, the SAMLAuthnConfiguration SAML proxy feature might be a better option, but a major version upgrade is unfortunately out of reach this month.

Is there a way we could access the ACS URL that started this login flow, or a different way to achieve the IdP redirection above?

Many thanks for your help, it would be really appreciated,

Taskize Limited registered address 33 Cannon Street, London, EC4M 5SB. Registered in England No. 7921239. This message may contain information that is privileged or confidential. If you are not the intended recipient please delete it and inform the sender immediately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list