Help Needed: Shibboleth SP handling of 'Recipient' SAML Attribute
Nate Klingenstein
ndk at signet.id
Mon Jun 29 22:38:33 UTC 2020
Amit,
Assuming you mean in a Response and Assertion, the destination and recipient attributes are intended to allow the SP to interpret how to process the response and to ensure it was made for it and not another SP. The recipient should be the entityID and the destination should be the ACS URL. This is to prevent the abuse of the assertion by someone sending it to another SP, which is important for various security reasons.
So even if there's a way to do so, it would be a bad idea in any case.
I would consider the IdP broken and ask them to fix that so the two fields are filled out correctly.
Best wishes,
Nate.
--------
Signet, Inc.
The Art of Access ®
https://www.signet.id
-----Original message-----
> From: Amit Dongaonkar
> Sent: Monday, June 29 2020, 4:03 pm
> To: users at shibboleth.net
> Subject: Help Needed: Shibboleth SP handling of 'Recipient' SAML Attribute
>
>
>
> Hello All,
>
> I am setting up Shibboleth SP to do a PoC for replacing our current SSO setup.
>
> While testing the setup I noticed that the IdP is sending the Destination attribute as null (blank) and the ACS url in the Recipient attribute.
>
> The SP errors with the Destination attribute null error.
>
> Is there a way to not look at the Destination attribute but instead use the Recipient attribute?
>
> Any help would be appreciated.
>
> Thanks and Regards,
>
> Amit Dongaonkar
>
> Snr. Technical Architect Lead
>
> o: (248) 284-4035 m: (248) 385-6033
>
> 40850 Grand River Ave #100, Novi, MI 48375
>
> www.nitssolutions.com <http://www.nitssolutions.com/>
>
> --
>
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
>
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
>
More information about the users
mailing list