Help Needed: Shibboleth SP handling of 'Recipient' SAML Attribute

Cantor, Scott cantor.2 at
Mon Jun 29 22:44:57 UTC 2020

On 6/29/20, 6:38 PM, "users on behalf of Nate Klingenstein" <users-bounces at on behalf of ndk at> wrote:

> Assuming you mean in a Response and Assertion, the destination and recipient attributes are intended to allow the SP
> to interpret how to process the response and to ensure it was made for it and not another SP.  The recipient should be
> the entityID and the destination should be the ACS URL.

They are both set to the ACS URL in the profile.

The only odd thing about the Shibboleth software is that it doesn't look at Destination unless the message is signed, since there's no point in doing so. It requires Destination when messages are signed because that's what the standard says.

-- Scott

More information about the users mailing list