Tuesday, November 6, 2007

Where to send the reply to an <AuthnRequest>

pencil icon, that"s clickable to start editing the post

Some days ago I was running through a web SSO scenario and I confused myself with where what message goes. In this posting I look into where the IdP sendes the Response on an AuthnRequest. In [SAMLProf] under Web Browser SSO Profile, section " Identity Provider Issues <Response> to Service Provider":

The location of the assertion consumer service MAY be determined using metadata (as in [SAMLMeta]). The identity provider MUST have some means to establish that this location is in fact controlled by the service provider. A service provider MAY indicate the SAML binding and the specific assertion consumer service to use in its <AuthnRequest> and the identity provider MUST honor them if it can.

Where the reference to [SAMLMeta] is in section "2.4.4 Element <SPSSODescriptor>":

<AssertionConsumerService> [One or More]
One or more elements that describe indexed endpoints that support the profiles of the Authentication Request protocol defined in [SAMLProf]. All service providers support at least one such endpoint, by definition.

with the example on page 25:



AssertionConsumerServiceIndex [Optional]
Indirectly identifies the location to which the <Response> message should be returned to the requester. It applies only to profiles in which the requester is different from the presenter, such as the Web Browser SSO profile in [SAMLProf]. The identity provider MUST have a trusted means to map the index value in the attribute to a location associated with the requester. [SAMLMeta] provides one possible mechanism. If omitted, then the identity provider MUST return the <Response> message to the default location associated with the requester for the profile of use. If the index specified is invalid, then the identity provider MAY return an error <Response> or it MAY use the default location. This attribute is mutually exclusive with the AssertionConsumerServiceURL and ProtocolBinding attributes.
AssertionConsumerServiceURL [Optional]
Specifies by value the location to which the <Response> message MUST be returned to the requester. The responder MUST ensure by some means that the value specified is in fact associated with the requester. [SAMLMeta] provides one possible mechanism; signing the enclosing <AuthnRequest> message is another. This attribute is mutually exclusive with the AssertionConsumerServiceIndex attribute and is typically accompanied by the ProtocolBinding attribute.


In the hearing version of DK-SAML V2.0 it says in section 4.5.3 Location of Service Provider:

In order to send the response, the Service Providers assertion consumer service must first be located. The SAML profile states that meta data MAY be used for this purpose but in the Danish profile this is a MUST.

which means that the use of AssertionConsumerServiceURL is forbidden in DK-SAML V2.0.


I've searched the documents from e-Authentication and I haven't found anything so they must be satisfied by the flexibility in the SAML V2.0 specification.