[Idpy-discuss] Re: Multiple ACS URLs
7 Sep
2022
7 Sep
'22
7:08 p.m.
2022-09-06 15:31 időpontban Kristof Bajnok ezt írta:
I'd like to select the ACS URL based on the host
name of the request
(context["http_headers"]["HTTP_HOST"] specifically). What do you
think
about it? Would you consider such a pull request?
I'm still not entirely sure what to do if there's no match. I guess
Shibboleth SP used to specify the ACS URL in the AuthnRequest using
information from HTTP_HOST(?), since I remember seeing error messages
on IdPs when no AssertionConsumerServiceURLs in the metadata matched
the request. Even if I remember right, this might not be the best
approach, because I could think that it'd be more user friendly if
SATOSA could signal the error instead of the IdP, but this might be
use case dependent.
I wish I could omit the AssertionConsumerServiceUrl from the request if
we know that the hostname does not match any of the ACS URLs, but
unfortunately PySaml's `create_auth_request` is not doing me the favour
to treat `assertion_consumer_service_url=None` the same way as
`hide_assertion_consumer_service` *configuration* parameter was set. But
in the end the IdP would most likely use the first suitable endpoint in
this case, so it's not much worse to do the same in the request.
Kristof