When an authentication request from a service provider is not signed, Identity Server cannot validate the authenticity and integrity of the request. So, any intruder can intercept the request and change the Assertion Consumer Service URL in the request and make the Identity Server to send the assertion to malicious sites.
To secure and validate the authentication request from a service provider, you can use the following options in the service provider configuration of Identity Server:
SAML2_ACS_URL_RESTRICT: This option ensures that Identity Server must validate the Assertion Consumer Service URL in the request against the trusted metadata URL before sending the assertion. If the Assertion Consumer URL in the authentication request is tampered by any malicious user, Identity Server terminates the request and assertion is not sent.
SAML2_ACS_DOMAIN_WHITELIST:This option ensures that Identity Server must validate the Assertion Consumer URL in the request against a whitelist of domains. If the Assertion Consumer Service URL does not match with any of the domain URLs in the whitelist, Identity Server terminates the request.
You must define the SAML2_ACS_DOMAIN_WHITELIST along with SAML2_ACS_URL_RESTRICT for a service provider in Identity Server. SAML2_ACS_DOMAIN_WHITELIST does not work if SAML2_ACS_URL_RESTRICT is not enabled.
To define these options, perform the following steps:
Click Devices > Identity Servers > <Cluster> > Edit > SAML 2.0.
Select the required service provider.
Click Options > New.
Select OTHER and specify the following properties:
|
Property Name |
Property Value |
Description |
|---|---|---|
|
SAML2_ACS_URL_RESTRICT |
True |
Identity Server allows authentication only to the trusted ACS URLs. |
|
SAML2_ACS_DOMAIN_WHITELIST |
Domain names separated with semi-colon (;) |
Identity Server performs additional validation of the authentication request with the ACS domain whitelist. |