IDP defaulting to different AssertionConsumerServiceURL

Document ID : KB000004546
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

  There are 2 ways to specify endpoint acting as the Assertion Consumer Service in the Query Parameters for the AuthnRequest Server at the SP side.
  You can use an index, or specify it explicitly. To illustrate :

  1. AssertionConsumerServiceIndex=1

  or

  2. AssertionConsumerServiceURL=http://spid-test.com/path1/example.sso/SAML2/POST

  In our setting, we've set the second, AssertionConsumerServiceURL.

  We have our SP sending AuthnRequest with AssertionConsumerServiceURL: http://spid-test.com/path1/example.sso/SAML2/POST

  However, we observe the IDP defaulting to different url: http://spid-test.com/path0/example.sso/SAML2/POST. How can we force
  the explicitly use of the value from AssertionConsumerServiceURL ?

Environment:
Secure Cloud version: 1.55
Cause:

You'll have to enable the flag "Accept Only Registered Remote ACS URL in Authnrequest" in the Local IDP>Remote SP partnership
in order to get the AssertionConsumerServiceURL to take preceedence on the others configured on the IDP side.

Resolution:

You will have to enable the flag "Accept Only Registered Remote ACS URL in Authnrequest" in the Local IDP>Remote SP partnership.