I implement a SAML 2.0 SP.
I have a login servlet with endpoint https://my.domain.com/mng/samlLogin, so in the SP metadata file I define:
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://my.domain.com/mng/samlLogin" index="0" isDefault="true"/>
And send this endpoint in the AuthenRequest under the AssertionConsumerServiceURL.
Now, I have another servlet with a different functionality, and it needs to validate the user against SAML as part of its flow.
So I need to define the new servlet's URL as an additional endpoint, let's say https://my.domain.com/mng/myServletSamlLogin , which will get SAML authentication reponse.
Is this possible? Can I define multiple AssertionConsumerService elements for the same binding (HTTP-POST)?
Thanks!
Yes, you can include additional <md:AssertionConsumerService> elements in the SAML 2.0 SP metadata with the same binding, each with its own unique index. Alternatively you can choose to sign the authentication requests as the SP in which case you can freely specify an AssertionConsumerServiceURL without the requirement that it was published and configured earlier as part of the SP metadata exchange.
This is all spec compliant but be aware (as always with "advanced" SAML options) that your mileage may vary wrt. support across different SAML implementations.
Have a look at Assertion Consumer Service Glossary which will tell you that
Assertion Consumer Service
A SAML-compliant portion of PingFederate in an SP role that receives
and processes assertions from an IdP.
attributes
Distinct characteristics that describe a subject. If the subject is a
Web site user, attributes may include a name, group affiliation, email
address, etc.
attribute contract
A list of attributes, agreed to by the partners in an identity
federation, representing information about a user (SAML subject). The
attributes are sent from the IdP to the SP during SSO or STS
processing.
So you associate bindings to the Assertion Consumer Service (ACS) endpoint(s) where your SP will receive assertions.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 女痞 的文章《SAML 2.0 - Multiple AssertionConsumerService in SP》','https://www.manongdao.com/article-418536.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}