1. 技术文章
  2. More than one ACS url

More than one ACS url

蹲街弑〆低调 提交于 2021-01-28 22:25:51

问题


we are using PingFederate for SSO and is SP initiated. and Ping Federate will act like Idp. For application there are 2 webservers(for high availability

My questions is 1. can we provide two urls as default(In console as only one url can be set as default. in this case can we provide two comma seperated urls).

  1. can load balancer url is provided for ACS url.

Thank you!


回答1:


I think you want to publish the assertion consumer service URLs in SP metadata, as it is specific to the service provider.

You can have unique or same ACS endpoint for specific binding the SP supports and the endpoint has to understand response wrt to binding from IdP. Also ACS endpoints can be indexed and any one can be set as default in the metadata. Example:

 <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://sts.contoso.com/adfs/ls/" index="0" isDefault="true" />
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://sts.contoso.com/adfs/ls/" index="1" /> 
    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://sts.contoso.com/adfs/ls/" index="2" />

As long as IdP can reach the SP server from outside world, you could use load balancer URL.




回答2:


As you have noted in the PingFederate Admin Console, you can specify multiple ACS URLs, however only one is a default URL. Each ACS URL is assigned an index number.

Using IdP-Initiated SSO, the default ACS URL will be used to send the SAML assertion if an ACSIdx query parameter is not supplied. This query parameter specifies which ACS URL is to be used. When the parameter is used, it will send the SAML assertion to the ACS URL associated to the index as shown in the PingFederate Admin Console.

Using SP-Initiated SSO, the ACS URL can be dynamic if the service provider application sends a signed AuthnRequest. Per the SAML specification SP-Initiated SSO can send a ACS URL that will be used by the Identity Provider (in this case the PingFederate IdP) to transmit the SAML assertion. Thus, the requesting server specifies how to return to itself granted the AuthnRequest is signed and trusted by the PingFederate IdP Server.



来源:https://stackoverflow.com/questions/39567112/more-than-one-acs-url

标签
saml
pingfederate
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!