2
votes

While trying to learn the ADFS 2.0 environment, I created an empty ASP.NET Claims aware application to be the RP using Visual Studio 2010.

using ADFS 2.0 I did the following:

  1. Created a SAML 2.0 relying party using the 'Add Relying Party Trust...' wizard
  2. Created a SAML 2.0 Claim Provider using the 'Add Claims Provider Trust...' wizard

Now I did the following steps:

  • Pointed browser to http://localhost/adfs/IdpInitiatedSignOn.aspx
  • Selected the RP defined in step 1 from combo box as the site to sign in.
  • Selected in the next page the IDP defined in step 2 from combo box as the authenticating site.
  • Clicked 'Continue to Sign in'

The ADFS 2.0 now, redirects me to the URL configured for the IDP and a SAMLRequest is attached to the request. (which is great)

However, The SAML Request arrived to IDP does not contain any ACS URL (More techninally, there is no XML node of "AssertionConsumerServiceURL"),

Isn't ACS URL is mandatory attribute in SAML Request?

Thanks ! Yoash

1

1 Answers

0
votes

No, the ACS URL is not a mandatory attribute in a SAML 2.0 AuthnRequest. This information is typically exchanged in the meta-data when you setup the trust relationship between the IDP and SP. This simplifies the security check the IDP must do if the ACS URL or ACS Index is present (must be the same as the meta-data or AuthnRequest MUST be digitally signed).

We've done quite a bit of interop work with MS WIF/WCF Claims aware applications via our STS as well as SAML 2.0 with ADFSv2 if you'd like some more information.