Hi Ray, thanks for your answer. The problem is that the configured value doesn't seem to be checked against the incoming value at all. So we can fill in just a random string in the configuration. Tested with CAS 7.0.6.
Petr On Tuesday 27 August 2024 at 20:37:01 UTC+2 Ray Bon wrote: > Petr, > > It is required in the service definition / saml metadata to prevent a > malicious site from providing an ACS URL that does not match the entityId. > > Ray > > On Tue, 2024-08-27 at 06:16 -0700, Petr Bodnár wrote: > > You don't often get email from [email protected]. Learn why this is > important <https://aka.ms/LearnAboutSenderIdentification> > Hi, > > when registering a service provider (SP) to CAS via the JSON variant of > configuration, one*could *historically fill in the > *assertionConsumerServiceUrl* attribute, or leave it empty. The very same > attribute comes in the SAML AuthnRequest and contains the URL where the SP > wishes to send the SAML response. > > So is it that the *assertionConsumerServiceUrl *in JSON configuration is > just the*default* value for the case it is not present in the SAML > AuthnRequest? > > And if so, can somebody tell why this attribute *was made required* since > some version of CAS 7.0.x (see commitensure saml SLO/ACS objects have a > valid location > <https://github.com/apereo/cas/commit/d37229b6aa0e9125577ff5e92d39083de31c7117>)? > > For our use case, we probably always want the SP to fill the URL in the > request, but we are forced to also fill some value in the JSON > configuration now, which doesn't seem to make sense? > > Regards > Petr > > > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/15cf90cb-967f-4d36-9679-f35934c651efn%40apereo.org.
