Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Difference between AssertionConsumerServiceURL , Destination , Consent in <saml:AuthnRequest>

I have been trying to generate SAML object using opensaml-java.

Ref:slide #30 in https://www.oasis-open.org/committees/download.php/12958/SAMLV2.0-basics.pdf

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                        ForceAuthn="true"
                        AssertionConsumerServiceURL="http://www.example.com/"
                        AttributeConsumingServiceIndex="0" ProviderName="string"
                        ID="abe567de6"
                        Version="2.0"
                        IssueInstant="2005-01-31T12:00:00Z"
                        Destination="http://www.example.com/"
                        Consent="http://www.example.com/" >

In this Destination , Consent , AssertionConsumerServiceURL all the three represent the same address. What are they actually representing?

[Q.1]Is there any difference between them? Surely There must be some difference otherwise they wouldnt have all the three things .

OR If there is no difference , what are they representing?

EDIT 1 : AssertionConsumerServiceURL is the landing page of IdP where the assertion response message from IdP is expected.

like image 644
mavis Avatar asked Feb 04 '14 05:02

mavis


People also ask

What is AssertionConsumerServiceURL in SAML?

In a SAML 2.0 federation, the assertion consumer service URL can be initiated at the identity provider server site or the service provider site.

What is SAML Authnrequest?

Security Assertion Markup Language (SAML) 2.0 is one of the most widely used open standard for authentication and authorizing between multiple parties. SAML is an open protocol that give users the single sign-on (SSO) experience for applications. The other adopted open standard is OAuth and OpenID.

What are three assertions in SAML?

The three distinct types of SAML Assertions are authentication, attribute, and authorization decisions. Authentication assertions help verify the identification of a user and provide the time a user logs in and which method of authentication is used (for example, password, MFA, Kerbeos, etc.)

Where is AssertionConsumerServiceURL?

So AssertionConsumerServiceURL is at the Service Provider (SP) side. At this URL the Identity provider (IdP) will send the SAML Response containing the assertions and the Service provider (SP) should have the facilities to read it.


2 Answers

Destination (defined in saml 2 core lines 1477-1482)

Destination is URL of the endpoint you are sending the message to. Typically SAML peers have different endpoints for different bindings and the value is used at IDP to verify that the received message was actually intended for the place where it was received. It helps mitigate certain attack scenarios.

Consent (defined in saml 2 core lines 1483-1488)

Value is just an advice to IDP telling about the way sender received permission from the principal (typically user) to issue this SAML message on her behalf. It's optional and typically unused.

AssertionConsumerServiceURL (defined in saml 2 core lines 2061-2067)

Identifies URL at your side, where peer IDP must send the response to. When you use this attribute you should also specify ProtocolBinding. The value is mutually exclusive with assertionConsumerServiceIndex, so you shouldn't use both at the same time.

like image 127
Vladimír Schäfer Avatar answered Oct 14 '22 00:10

Vladimír Schäfer


The SAML specification defines three roles: the principal (typically a user), the Identity provider (IdP), and the service provider (SP). wiki

The service provider requests (SAML Request) and obtains an identity assertion from the identity provider (SAML Response)

So AssertionConsumerServiceURL is at the Service Provider (SP) side. At this URL the Identity provider (IdP) will send the SAML Response containing the assertions and the Service provider (SP) should have the facilities to read it.

According to my understanding the binding represents the way the SAML XML protocol messages will be transported (onto standard messaging formats) between SP and IdP. There are more than 1 way. For example

  • HTTP POST,
  • HTTP Redirect
  • SAML SOAP Binding (based on SOAP 1.1)

and thus the SP might have more than one binding URL address i.e

  • Assertion Consumer Service POST Binding URL
  • Assertion Consumer Service Redirect Binding URL
like image 7
gazgas Avatar answered Oct 14 '22 01:10

gazgas