Difference between AssertionConsumerServiceURL , Destination , Consent in <saml:AuthnRequest>
I have been trying to generate SAML object using opensaml-java.
Ref:slide #30 in https://www.oasis-open.org/committees/download.php/12958/SAMLV2.0-basics.pdf
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ForceAuthn="true"
AssertionConsumerServiceURL="http://www.example.com/"
AttributeConsumingServiceIndex="0" ProviderName="string"
ID="abe567de6"
Version="2.0"
IssueInstant="2005-01-31T12:00:00Z"
Destination="http://www.example.com/"
Consent="http://www.example.com/" >
In this Destination , Consent , AssertionConsumerServiceURL all the three represent the same address. What are they actually representing?
[Q.1]Is there any difference between them? Surely There must be some difference otherwise they wouldnt have all the three things .
OR If there is no difference , what are they representing?
EDIT 1 : AssertionConsumerServiceURL is the landing page of IdP where the assertion response message from IdP is expected.
Answer
Destination (defined in saml 2 core lines 1477-1482)
Destination is URL of the endpoint you are sending the message to. Typically SAML peers have different endpoints for different bindings and the value is used at IDP to verify that the received message was actually intended for the place where it was received. It helps mitigate certain attack scenarios.
Consent (defined in saml 2 core lines 1483-1488)
Value is just an advice to IDP telling about the way sender received permission from the principal (typically user) to issue this SAML message on her behalf. It's optional and typically unused.
AssertionConsumerServiceURL (defined in saml 2 core lines 2061-2067)
Identifies URL at your side, where peer IDP must send the response to. When you use this attribute you should also specify ProtocolBinding. The value is mutually exclusive with assertionConsumerServiceIndex, so you shouldn't use both at the same time.