Validating Incoming Authentication Request for Assertion Consumer Service URL

When an authentication request from a service provider is not signed, Identity Provider cannot validate the authenticity and integrity of the request. So, any malicious user who can intercept the request can change the Assertion Consumer Service URL in the request and make the Identity Provider to send the assertion to malicious sites.

To secure and validate the authentication request from the service provider, you can use the following options in the service provider configuration of Identity provider:

NOTE:These options must be defined to avoid security issues during an unsigned SAML Authentication Request.

SAML2_ACS_URL_RESTRICT: This option ensures Identity Provider will validate the Assertion Consumer Service URL in the request against the trusted metadata URL before sending the assertion. So if the Assertion Consumer URL in the Authentication Request is tampered by any malicious user, Identity Provider terminates the request and assertion will not be sent.

SAML2_ACS_DOMAIN_ALLOWABLELIST: This option ensures Identity Provider will validate the Assertion Consumer URL in the request against an allowable list of domains. If the Assertion Consumer Service URL is not matching with any of the domain URLs in the allowable list, request is terminated by the Identity Provider.

You must define SAML2_ACS_DOMAIN_ALLOWABLELIST along with SAML2_ACS_URL_RESTRICT for a service provider in Identity Server because this option does not work if SAML2_ACS_URL_RESTRICT is not enabled.

To define these options, perform the following steps in Administration Console:

  1. On the Home page, click Applications > Select a Cluster > [application name] > SAML v2.0 Service Provider.

  2. Click Options.

  3. Click New, then select OTHER.

    1. If you want Identity Server to allow authentication only to the trusted ACS URLs, specify the following:

      Property Name: SAML2_ACS_URL_RESTRICT

      Property Value: true

    2. If you want Identity Server to perform additional validation of the authentication request with the ACS domain , specify the following:

      Property Name: SAML2_ACS_DOMAIN_ALLOWABLELIST

      Property Value: Domain names separated with semi-colon(;) and no space. For example, www.airlines.com;www.example.com.