I see. We can make the AssertionConsumerServiceURL optional then. In this case, we can rely in the Issuer element to identity the relying party.
The specs also defines the Issuer element as optional, but AFAIK it is fairly used and also a best practice. The Interoperable SAML 2.0 Profile [1] and Profiles for SAML [2] as well define this attribute as a MUST.
[1] http://saml2int.org/ [2] http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
|