SAMLv2 SP initiated: One Service Provider and multiple Identity Providers

I need to use one Service Provider with multiple identity providers(idps) each idp is connected to the sp by using a subdomain i.e. http://subdomain1.mysite.com connects to idp1, http://subdomain2.mysite.com connects to idp2 etc then my Assertion Consumer Service URL looks like this https://mysite.com/SAML/AssertionConsumerService.aspx.

The problem is I need to know what idp the response is coming from in the AssertionConsumerService.aspx code so I can load in the right certificate. I've tried the issuer, response destination and other means with no luck.

Does anyone know a good way to differentiate between idps from the response and/or best practices? Or is there a standard way to do this?

I'm using http://www.componentspace.com/Produ开发者_运维知识库cts/SAMLv20.aspx

---

As you have noticed, if you have the same ACS URL for all IDPs, then the Destination will always be the same in the Assertion.

Each IDP should (must?) have its own unique Issuer at the very least if they also each have their own public cert they are signing with. In my experience, PingFederate and other servers ensure it is loading the correct configuration information when validating a Response. Not sure why Issuer wouldn't work for you in this situation as well.

You can get into situations where "different" IDPs from the same company may be sending you Responses with the same Issuer and different DSIG certs and AttributeStatements but that should not really happen in most cases.

HTH Ian

---

In our system, we have an entity that represents the client (we call it a "service domain") and require that the client identify that entity by name either as the Issuer element value or the Issuer SPProvidedID attribute value. SAML configuration on our end (SP) is associated with that "service domain" entity, including, for instance, the public key certificate for verifying their digital signature.

I'd say using the Issuer value is more appropriate than trying to key off subdomains.