Uploaded image for project: 'Identity Gateway'
  1. Identity Gateway
  2. OPENIG-5161

Doc: Add note about Location attribute in AssertionConsumerService should always include port

    XMLWordPrintable

    Details

    • Improvement
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • 6.5.3, 7.0.0, 7.0.2, 7.1.0
    • 7.1.0
    • Doc, SAML
    • None
    • IG working as an SAML SP being served on https and default port 443

      Description

      The logic used by the underlying SAML library component (FedletRootUrlProvider) to validate the SPs AssertionConsumerService Location value against the incoming IDP SAML Assertion is to construct a string based on the request details, including the port. This can lead to issues when using the default ports for the http/80 and https/443 cases.

      For example, this Location value will fail validation because there is no port included:

              <AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp.example.com/fedletapplication"/>
      

      The way to avoid this is to always include the port value in the Location attribute:

              <AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sp.example.com:443/fedletapplication"/>
      

        Attachments

          Activity

            People

            joanne.henry Joanne Henry
            markdr Mark de Reeper
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: