Geek Answers Handbook

SAML 2.0 - Many AssertionConsumerService in SP



I am implementing SAML 2.0 SP.
I have a login servlet with an endpoint https://my.domain.com/mng/samlLogin , so in the SP metadata file I define:

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://my.domain.com/mng/samlLogin" index="0" isDefault="true"/>

And send this endpoint to AuthenRequest under AssertionConsumerServiceURL.

Now I have another servlet with different functionality, and it should check the user for SAML as part of the stream.
So I need to define the new servlet URL as an additional endpoint, say https://my.domain.com/mng/myServletSamlLogin , which will receive a response to the SAML check.
<sh> Is it possible? Can I define multiple AssertionConsumerService elements for the same binding (HTTP-POST)?

Thanks!

+2
source share
2 answers

Yes, you can include additional <md:AssertionConsumerService> elements in the SAML 2.0 SP metadata with the same binding, each with its own unique index. Alternatively, you can sign authentication requests as a SP, in which case you can freely specify the AssertionConsumerServiceURL without requiring it to be published and configured earlier as part of the SP metadata exchange.

All this corresponds to the specification, but keep in mind (as always, with the "advanced" SAML parameters) that your mileage may vary. support for various SAML implementations.

+3
source

See the Consumer Service Approval Dictionary , which will tell you that

Customer service

The SAML-compatible part of PingFederate is in the SP role, which accepts and processes claims from IdP.

attributes

Individual characteristics that describe the subject. If the subject is a Website User, attributes may include name, group affiliation, email address, etc.

attribute contract

A list of attributes agreed by the partners in the federation ID that represents the user information (SAML subject). attributes are sent from IdP to SP during SSO or STS processing.

This way you associate the bindings with an affirmative service (ACS) endpoint (s) where your SP will receive approvals.

0
source

More articles:


All Articles