Validating Incoming Authentication Request for Assertion Consumer Service URL

When an authentication request from a service provider is not signed, Identity Provider cannot validate the authenticity and integrity of the request. So, any malicious user who can intercept the request can change the Assertion Consumer Service URL in the request and make the Identity Provider to send the assertion to malicious sites.

To secure and validate the authentication request from the service provider, you can use the following options in the service provider configuration of Identity provider:

NOTE:These options must be defined to avoid security issues during an unsigned SAML Authentication Request.

SAML2_ACS_URL_RESTRICT: This option ensures Identity Provider will validate the Assertion Consumer Service URL in the request against the trusted metadata URL before sending the assertion. So if the Assertion Consumer URL in the Authentication Request is tampered by any malicious user, Identity Provider terminates the request and assertion will not be sent.

SAML2_ACS_DOMAIN_WHITELIST: This option ensures Identity Provider will validate the Assertion Consumer URL in the request against a white list of domains. If the Assertion Consumer Service URL is not matching with any of the domain URLs in the white list, request is terminated by the Identity Provider.

You must define SAML2_ACS_DOMAIN_WHITELIST along with SAML2_ACS_URL_RESTRICT for a service provider in Identity Server because this option does not work if SAML2_ACS_URL_RESTRICT is not enabled.

To define these options, perform the following steps in Administration Console:

  1. Click Devices > Identity Servers > IdP Cluster > SAML2.

  2. Select the required service provider from the Service Providers list.

  3. Click Options.

  4. Click New, then select OTHER.

    1. If you want Identity Server to allow authentication only to the trusted ACS URLs, specify the following:

      Property Name: SAML2_ACS_URL_RESTRICT

      Property Value: true

    2. If you want Identity Server to perform additional validation of the authentication request with the ACS domain whitelist, specify the following:

      Property Name: SAML2_ACS_DOMAIN_WHITELIST

      Property Value: Domain names separated with semi-colon(;) and no space. For example, www.airlines.com;www.example.com.