Symantec Access Management

Dear Experts,

In our SP Metadata we found that it has 2 ACS URLs and Is there any way to test IDP Initiated SAML SSO to both ACS URLs ?

Please advise.

CA SSO Version : 12.6 

Thanks,
Narendra

Hi Narendra,

It'll probably be helpful to share the use case here so the community can better assist.

Are the 2 ACS using different bindings? one HTTP-POST and the other is HTTP-Artifact

If that's the case, you should choose the ACS endpoint that matches what you intend to use for the partnership.

If you see both ACS are using HTTP-POST (I rarely see this), I'm guessing your SP has multiple ACS because it wants to know which IdP is being used by means of which ACS is accessed.

Then the SP should tell you which ACS endpoint you should use out of the 2.

If you want to test both, you can toggle the ACS to use in partnership setting then reactivate the partnership. But I don't think you can have both at the same time in 1 partnership.

I could be wrong.

regards,

Zen

Hi Narenda,

The SP side has 2 ACS URL, so you can test them by sending a
SAMLRequest and configure the IdP and SP partnership to have "Accept
ACS URL in the Authnrequest" and insure the SAMLRequest has
AssertionConsumerServiceURL configured.

ref.:

https://comm.support.ca.com/kb/how-to-prevent-acs-url-spoof-in-a-authnrequest/kb000012530

CA Access Gateway(Secure Proxy Server) acting as I - CA Knowledge 

Hope this helps,

Patrick

Hi Patrick,

Thanks for your response and also for the solution.

It's really helpful and fits in our environment.

Regards,

Narendra