disableRequestAcsUrl does not seem to work

[mhassan1]

I could be misunderstanding the disableRequestAcsUrl feature, or I could be testing it wrong, but it seems like it does not work as advertised.

Here is my server file:

const { runServer } = require('saml-idp')
const path = require('path')

runServer({
  disableRequestAcsUrl: true,
  audience: 'test',
  acsUrl: 'i am so invalid',
  cert: path.join(__dirname, 'idp-public-cert.pem'),
  key: path.join(__dirname, 'idp-private-key.pem')
})

It seems like the SAMLResponse is posted back to the requested ACS URL, even though the disableRequestAcsUrl flag is set. I would expect it to post to the invalid acsUrl.

Looking at the code, it seems like the getPostURL function that is passed to samlp does not take into account whether this flag is set, so the postUrl is always the requested ACS URL.

I'm happy to open a PR if this is a bug. And thanks for the library!

[webdev51]

I'm facing this exact issue. Its still sending the SAML response to acsUrl received in request instead of sending it to the acsUrl passed with --acsUrl option despite adding the disableRequestAcsUrl.

Were you able to resolve it?

[mhassan1]

Were you able to resolve it?

I don't think I ever needed it to work; I think I just noticed that it didn't work and opened this issue.