I am using PingFederate for SSO. My application is acting as SP and I am trying SP initiated SSO. I am sending SAMLRequest to PingFederate, which is signed. But it is not sending SAMLresponse to ACS URL mentioned in the SAMLRequest9authnRequest).
Can you help me with settings, so that the default assertion Consumer URL is not picked up but the one sent in SAMLRequest is used?
[Updated}
So you are the SP and PF is the IDP? PF needs to have your Assertion Consumer Service URL listed in the local meta-data (PF can hold several ACS URLs for a single SP) and I believe you need to specify the ACSIndex (as configured in PF) or ACSURL value.
The SAMl 2.0 Core document outlines how to include AssertionConsumerServiceIndex or AssertionConsumerServiceURL in your AuthnRequest.
--Ian
Can you provide more details?
It sounds like you are using PF as the IDP and SP? If you want to PF (IDP) to use an ACS URL other than the default with SP-Init SSO you need to specify the ACSIndex of the ACS URL in the AuthnRequest. PF (SP) can specify a specific ACSIndex to include in the AuthnRequest by appending it to the startSSO.ping Application Endpoint.
If the ACSIndex is not listed in the PF (IDP) configuration the SP must sign the AuthnRequest (per the spec) and specify the ACSIndex to use instead.
Let me know if that makes sense or you need more info on how to do this.
--Ian
Hi,
I am signing the samlRequest as
https://localhost:8443/dvad/StudyPT.html
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="ds saml samlp" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>
H/MDr9Lf3iXE563ZGQ5kZe0zYZk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
dVKMDqIHh3UnBGoAwtkM36VmV3mlnH9Dpgu4MeN6Q+kqsxZ3KMxKuxmkQdrR7tcN3iKN1gf9JyEl
PgBSCA7I/P3/M5WCZYqJqFITqDlIECdbcP1CNoEvJxwkhhgAU1WnwbecjlLo7AQSpS9aFk5JmX2j
T4bsHk+6oCeV+pxWyRM=</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
v2EQtKdXZkwBqXb6Pdf2ZY4ndThIv533y7T7IIrku9zeIOHXbQSW2HqRWSLMqpEp9OjZXiGfq7+i
GmkTT94oB07V3xACWnu+K7kejhVla95lUqftgq6FhJCSVJdTdgjo4jnEyMkcRrR+UJpJQeW2UAcB
MsMwYAvWfzOOPUhTacM=</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
But, I am unable to still receive the saml response to the acs. Also, where should we put index, in case I want to try with it.
Thanks for the response.
Hi Ian,
Thanks for the response. Now I am able get the SAML Response to the desired URL. I appended the acs index of URL desired from PF to the endpoint of saml request as
https://pst.in:9031/idp/startSSO.ping?PartnerSpId=PF-DEMO&ACSIdx=3
and the response was sent to the 3 url.
Also, I had another query. I have certain query parameters, which I wanted to retain. I am trying to send those query parameters in relay state.
When my application(which is acting as SP) sends SAMLRequest(authRequest) to PF, it also send relayState parameter, but when PF send SAML Response back to SP, the relay state parameters as lost. PF is not sending relay state parameters.
Can you please let me know the settings if any so as to unable the relay state parameters transmission from PF.
Thanks.
PingFederate will automatically maintain RelayState (as the IDP) and return it with the Assertion (per the Spec) if you are sending it correctly with the AuthnRequest. There is nothing you need to do within PF to make this happen.
I would ensure you are sending it correctly and that PF is logging the value it receives from you.