Question1: When Using NetScaler as an IDP, if the SAML SP sends dynamic ACS urls in SAML Authn Request, what is the expected behavior of NetScaler ?
Answer: Preference is always given to the hard-coded ACS url, in other words if ACS url is configured in IDP profile on NetScaler, irrespective of what the SP sends as an ACS url (in the SAML Authn Request) the client / browser will always be redirected to the configured ACS url post authentication.
Question2: My SAML SP, per design uses Dynamic ACS urls in SAML Authn Request, and the expectation from the IDP is that post authentication the client / browser be redirected to the ACS url as indicated by the SP. Can this be accomplished using NetScaler as an IDP ?
Answer – Yes, it can be done, in such cases – need to keep the ACS url blank in the SAML IDP configuration. So NetScaler will redirect client / browser to the ACS url received in the SAML Authn request.
NetScaler only supports upto 127 characters in the ACS url. in case the ACS url exceeds 127 characters, you will see the following error message post logon – “Target URL not found for redirect after successful logon. Please contact your administrator”
And following message in nslog – “AAATM: LOGIN: invalid redirect url samlProf_SSRS”
If you are seeing theses issues, using SAML tracer please verify the length of the ACS url in the SAML authn request.
It’s in the road-map to relax this limitation in future releases. Please check for issue id #699478 in release notes.
Question3: Is there any possible way to use Dynamic ACS URLs while having a fixed ACS url value in NetScaler IDP Configuration.
Answer: Not on NetScaler (please see answer to Question 1). However on application level the following can be tried.
1) When user comes to SP for the first time, cache the original request URL and map it against the “ID” Attribute in the outgoing SAML Authn Request.
2) Once the user lands back on SP (post authentication from IDP) look for the “InResponseTo” Attribute in the Saml Response.
The correlation: Saml Request “ID” Attribute = Saml Response “InResponseTo” Attribute
Using this co-relation find the original request URL and redirect the user back to the same