lsu logo shibboleth logo

Assertion Consumer Services

An assertion consumer service is a technical aspect of deploying Shibboleth on a web server. Supporting the SAML authentication protocol requires one or more URLs hosted on the server be designated as special locations called "assertion consumer services". They act as "reception" points for the HTML form submission or redirect that establishes a new user session. The actual implementation of the service is handled by the Shibboleth software by handling requests that are made to these URLs. It isn't a physical file or script you create, but simply a virtual web resource served by the software internally.

Part of the security of the protocol relies on the ability of the identity provider to know that redirecting the user's browser with authentication information to a particular URL will transfer the user to a particular service provider. Therefore, it is important for the locations used by a service provider to be supplied during the registration process and maintained if they change. It's also very important that requests to these URLs be protected by SSL. Shibboleth is not a secure protocol unless SSL is used when establishing new user sessions. SSL should be used whenever possible during all application requests, but it is most essential that it be used here.

This sounds complex, but it's ordinarily not. Shibboleth designates the relative path of /Shibboleth.sso/SAML/POST and /Shibboleth.sso/SAML/Artifact on any virtual host on which it is configured as assertion consumer services. Shibboleth also adds a handful of additional endpoints for SAML 2.0 support. This means for example that in most configurations, a service provider's ASC URLs are simply https://<yourhostname>/Shibboleth.sso/SAML/POST and so forth. This assumes that SSL is used and the server is running on the default port.

The software provides a great deal of flexibility (and a lot of automation) in establishing alternative locations at particular locations on your web server, supporting virtual hosting, forcing use of SSL, etc. But in most cases, all you need to do is use the default location and specify it when you register your service. Each URL that might be used needs to be registered, including any virtual hostnames that are to be supported, alternative ports used, and in unusual cases, more specific URLs within the document tree.

If you have questions, just indicate that in your registration e-mail and you will be contacted and assisted in providing the information and configuring the software for your needs.