[Idpy-discuss] Multiple ACS URLs

Hi all, in my setup, SATOSA may listen on multiple interfaces/ports/vhosts, and not all are accessible to all users. Therefore when sending the authentication response, the IdPs must redirect the users to the 'correct' AssertionConsumerServiceURL. The problem is that the SAML2 backend always selects the first ACS address in the request (src/satosa/backends/saml2.py:289). I'd like to select the ACS URL based on the host name of the request (context["http_headers"]["HTTP_HOST"] specifically). What do you think about it? Would you consider such a pull request? I'm still not entirely sure what to do if there's no match. I guess Shibboleth SP used to specify the ACS URL in the AuthnRequest using information from HTTP_HOST(?), since I remember seeing error messages on IdPs when no AssertionConsumerServiceURLs in the metadata matched the request. Even if I remember right, this might not be the best approach, because I could think that it'd be more user friendly if SATOSA could signal the error instead of the IdP, but this might be use case dependent. Thanks, Kristof