I'm running Siteminder Federation IdP, and when it receives the following AuthnRequest :
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"AssertionConsumerServiceURL="https://sp.yourdomain.com/samlconsumer"Destination="https://idp.mydomain.com/affwebservices/public/saml2sso"ID="_943b1145ec08d2975433e6c8ecc13079"IssueInstant="2018-03-28T07:32:21Z"ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"Version="2.0" > <saml:Issuerxmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sp.yourdomain.com/secondserver</saml:Issuer><samlp:NameIDPolicy AllowCreate="1"Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /></samlp:AuthnRequest>
Then, my IdP Server returns the following error :
"AssertionConsumerServiceURL vaue must match the one specified in partner meta data"
In my Legacy Federation, I've defined the SP Assertion Consumer Service URL as : https://sp.yourdomain.com/samlconsumer
How can I fix this problem?
The problem you face is that you are referring to the AssertionConsumerServiceURL value from the Federation AuthnRequest. But this functionality doesn't exist for Legacy Federation model. You have to use the Partnership configuration to be able to use it :
Asserting Party Not Accepting ACS URL in an Authentication Request (170971)Symptom:
CA Single Sign-On Federation was not accepting and processing theAssertion Consumer Service URL in the incoming authenticationrequest. The system did not verify whether the authentication requesthad an Assertion Consumer Service URL defined.
For an IdP-to-SP partnership, the Administrative UI has a new checkbox labeled Accept ACS URL in the Authnrequest. This check box is inthe SSO section of the SSO and SLO step of the partnershipconfiguration. To confirm that the URL is present and valid in theauthentication request, and it is in the metadata, select this option.
STAR issue: 21361990
Configure your Federation as a Partnership instead of a Legacy one, and set the IdP to use the AssertionConsumerServiceURL from the SAML AuthnRequest by checking "Accept ACS URL in the Authnrequest" configuration setting in your Partnership, putting the expected value of AssertionConsumerServiceURL in the list for ACS.
KB : kb000076441