Forums, Documentation & Knowledge Base - ComponentSpace

Validate list of Destination in SAMLResponse


https://componentspace.com/forums/Topic11599.aspx

By ganeshsivam - 6/5/2021

Hi,
Our SSO app has different domain names (id.dev.acme.com, id.dev.acme.io, etc) and all point to same instance.
Hence ACS URL is different for each domain and I'm able to configure multiple SAML Configurations for each domain. 

In SP-init SSO, the ACS URL in SAMLRequest is https://id.dev.acme.com/SAML/AssertionConsumerService and in SAMLResponse the Destination URL is https://id.dev.acme.io/SAML/AssertionConsumerService. There is a mismatch and ComponentSpace throws below exception:

[ERR]  Saml Service Provider exception on RecieveSsoAsyncComponentSpace.Saml2.Exceptions.SamlProtocolException: The SAML response destination https://id.dev.acme.io/SAML/AssertionConsumerService doesn't match the local provider name or URL. at ComponentSpace.Saml2.SamlProvider.CheckDestination(StatusResponseType samlResponse, String destinationName, String destinationUrl) at ComponentSpace.Saml2.SamlServiceProvider.ProcessSamlResponseAsync(XmlElement samlResponseElement) at ComponentSpace.Saml2.SamlServiceProvider.ReceiveSsoAsync() at Identity.Service.Controllers.SamlController.AssertionConsumerService() in /tmp/Identity.Service/Controllers/SamlController.cs:line 93

So, my question: Is it possible to validate a list of Destination URL in SAMLResponse by ComponentSpace?

Thanks
By ComponentSpace - 6/6/2021

Please enable SAML trace and send the generated log file as an email attachment to [email protected] mentioning your forum post.

https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace

Once the log has been captured and as a temporary fix, disable the destination check by setting the following in your PartnerIdentityProviderConfiguration:

   "DisableDestinationCheck": true