AssertionConsumerURL Precedence

Nate Klingenstein ndk at
Thu Oct 22 19:04:08 UTC 2020


A SAMLtest user needs to generate somewhat arbitrary AssertionConsumerService URL's.  They're using appropriately signed requests, but as a result of the arbitrary ACS URL's, they're getting endpoint mismatches at the IdP, while this practice is apparently permitted by a large number of IdP's.

That URL, being arbitrary, isn't and can't be enumerated in their metadata.  My presumption is that the metadata is taking precedence over the signed request, being taken as more authoritative as having been vetted and signed by a third party rather than just the SP itself.

I assume this is intended behavior, but is there a way the metadata check could be made optional for signed requests?  A quick perusal of the Wiki doesn't find one.

Thanks in advance,

Signet, Inc.
The Art of Access ®

More information about the users mailing list