'SAML SP Metadata XML SSO, Recipient and Destination URLs

In Okta we have the ability to specify different URLs for the SSO, Recipient and Destination URLs in the applications UI like so:

Okta Application UI

We have a custom URL where the SAML assertion needs to get sent to that's different than the recipient URL. The recipient URL needs to be the URL where it will ultimately end up after passing through a proxy via the Destination URL. This works fine for Okta setups but we're having trouble figuring out where those values should go in the SP SAML metadata XML that some IDPs require for setup (vs the application UI like Okta has). Is there a place in that SAML metadata that we could specify those URLS at and if so, where would they go? I haven't been able to find anything in the SAML 2.0 specs about those URLs for SP SAML metadata.



Solution 1:[1]

If I understand correctly, you have a proxy between SP and IdP. And you want your SP metadata XML to specify URL of proxy. This can be achieved by the Assertion Consumer Service URL (ACS URL), an example:

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                     validUntil="2022-04-29T14:36:36Z"
                     cacheDuration="PT604800S"
                     entityID="http://sp.example.com/saml">
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                     Location="http://proxy.example.com/saml"
                                     index="1" />
        
    </md:SPSSODescriptor>
</md:EntityDescriptor>

In above snippet, the Location attribute of md:AssertionConsumerService element specifies the ACS URL which is the proxy URL. It is different to the SP's URL which is specified in the entityID attribute of md:EntityDescriptor element.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 heq99