IdP 应该使用哪个 AssertionConsumerServiceURL?
Which AssertionConsumerServiceURL should an IdP use?
如果 SAML IdP 具有预配置的 ACS URL(例如,来自 SP 元数据的 ACS),它是否应该忽略在 AuthNRequest 中发送的 ACS?
SAML 核心规范指出 IdP 必须使用 AuthnRequest 中指定的 ACS。它还指出,IdP 必须以某种方式确保 ACS 属于 SP。例如,依靠消息签名或 ACS 是元数据中定义的。
来自规范
AssertionConsumerServiceURL [Optional]
Specifies by value the location to which the message MUST be returned to the
requester. The responder MUST ensure by some means that the value specified is in fact associated
with the requester. [SAMLMeta] provides one possible mechanism; signing the enclosing
message is another.
如果 SAML IdP 具有预配置的 ACS URL(例如,来自 SP 元数据的 ACS),它是否应该忽略在 AuthNRequest 中发送的 ACS?
SAML 核心规范指出 IdP 必须使用 AuthnRequest 中指定的 ACS。它还指出,IdP 必须以某种方式确保 ACS 属于 SP。例如,依靠消息签名或 ACS 是元数据中定义的。
来自规范
AssertionConsumerServiceURL [Optional] Specifies by value the location to which the message MUST be returned to the requester. The responder MUST ensure by some means that the value specified is in fact associated with the requester. [SAMLMeta] provides one possible mechanism; signing the enclosing message is another.