I have been trying to generate SAML object using opensaml-java.
Ref:slide #30 in https://www.oasis-open.org/committees/download.php/12958/SAMLV2.0-basics.pdf
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ForceAuthn="true"
AssertionConsumerServiceURL="http://www.example.com/"
AttributeConsumingServiceIndex="0" ProviderName="string"
ID="abe567de6"
Version="2.0"
IssueInstant="2005-01-31T12:00:00Z"
Destination="http://www.example.com/"
Consent="http://www.example.com/" >
In this Destination , Consent , AssertionConsumerServiceURL all the three represent the same address. What are they actually representing?
[Q.1]Is there any difference between them? Surely There must be some difference otherwise they wouldnt have all the three things .
OR If there is no difference , what are they representing?
EDIT 1 : AssertionConsumerServiceURL is the landing page of IdP where the assertion response message from IdP is expected.
In a SAML 2.0 federation, the assertion consumer service URL can be initiated at the identity provider server site or the service provider site.
Security Assertion Markup Language (SAML) 2.0 is one of the most widely used open standard for authentication and authorizing between multiple parties. SAML is an open protocol that give users the single sign-on (SSO) experience for applications. The other adopted open standard is OAuth and OpenID.
The three distinct types of SAML Assertions are authentication, attribute, and authorization decisions. Authentication assertions help verify the identification of a user and provide the time a user logs in and which method of authentication is used (for example, password, MFA, Kerbeos, etc.)
So AssertionConsumerServiceURL is at the Service Provider (SP) side. At this URL the Identity provider (IdP) will send the SAML Response containing the assertions and the Service provider (SP) should have the facilities to read it.
Destination (defined in saml 2 core lines 1477-1482)
Destination is URL of the endpoint you are sending the message to. Typically SAML peers have different endpoints for different bindings and the value is used at IDP to verify that the received message was actually intended for the place where it was received. It helps mitigate certain attack scenarios.
Consent (defined in saml 2 core lines 1483-1488)
Value is just an advice to IDP telling about the way sender received permission from the principal (typically user) to issue this SAML message on her behalf. It's optional and typically unused.
AssertionConsumerServiceURL (defined in saml 2 core lines 2061-2067)
Identifies URL at your side, where peer IDP must send the response to. When you use this attribute you should also specify ProtocolBinding. The value is mutually exclusive with assertionConsumerServiceIndex, so you shouldn't use both at the same time.
The SAML specification defines three roles: the principal (typically a user), the Identity provider (IdP), and the service provider (SP). wiki
The service provider requests (SAML Request) and obtains an identity assertion from the identity provider (SAML Response)
So AssertionConsumerServiceURL is at the Service Provider (SP) side. At this URL the Identity provider (IdP) will send the SAML Response containing the assertions and the Service provider (SP) should have the facilities to read it.
According to my understanding the binding represents the way the SAML XML protocol messages will be transported (onto standard messaging formats) between SP and IdP. There are more than 1 way. For example
and thus the SP might have more than one binding URL address i.e
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With