According [1] " The Recipient URL is another layer of security to make sure that the SAML response is meant for you and only you.
The Recipient will tell you exactly who the SAML response is for, but the Audience will tell you, at a broader level, where the response should go. So for example, the Recipient could be Yankee Stadium, while the Audience could be New York City. Using both Audience and Recipient values is recommended." Again I think this is subjective. IDP and SP can agree on finer levels or the other way around as well. Recipient value does not need to be limited to ACS. You can have multiple recipient values as well. [1] https://support.onelogin.com/hc/en-us/articles/202673944-How-to-Use-the-OneLogin-SAML-Test-Connector On Wed, Mar 8, 2017 at 12:20 PM, Sewmini Jayaweera <sewm...@wso2.com> wrote: > ping > > Sewmini Jayaweera > *Software Engineer - QA Team* > Mobile: +94 (0) 773 381 250 <077%20338%201250> > sewm...@wso2.com > > On Tue, Mar 7, 2017 at 10:58 PM, Sewmini Jayaweera <sewm...@wso2.com> > wrote: > >> Hi, >> >> As per the SAML core specification [1], below were the definitions given >> for ACS URL and Recipient. >> >> - *AssertionConsumerServiceURL: *Specifies by value the location to >> which the <Response> message MUST be returned to the >> requester. The responder MUST ensure by some means that the value >> specified is in fact associated with the requester. [SAMLMeta] provides >> one >> possible mechanism; signing the enclosing <AuthnRequest> message is >> another. This attribute is mutually exclusive with the >> AssertionConsumerServiceIndex attribute and is typically accompanied by >> the >> ProtocolBinding attribute. >> >> >> - *Recipient [Optional]: *A URI specifying the entity or location to >> which an attesting entity can present the assertion. For >> example, this attribute might indicate that the assertion must be >> delivered to a particular network endpoint in order to prevent an >> intermediary from redirecting it someplace else >> >> *Question* >> >> 1. Should AssertionConsumerServiceURL and Recipient always be the >> same? >> 2. When exactly do we need to specify a recipient? Appreciate if you >> can explain with a sample use case. >> >> [1]. https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf >> >> Cheers! >> >> Sewmini Jayaweera >> *Software Engineer - QA Team* >> Mobile: +94 (0) 773 381 250 <+94%2077%20338%201250> >> sewm...@wso2.com >> > > -- Hasintha Indrajee WSO2, Inc. Mobile:+94 771892453
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev