Skip to main content
Weblogin Auth SDK

Skip Endpoint Validation

How to use a single IdP configuration for multiple environments.

The Problem

SAML Identity Providers (IdPs) typically require a strict match between the Assertion Consumer Service (ACS) URL configured in the IdP and the one sent in the SAML request.

This creates a challenge for:

  • Local development (localhost)
  • Deploy previews (dynamic URLs like *.netlify.app)
  • Staging environments

Traditionally, you would need to register separate Assertion Consumer Service (ACS) URLs for each environment.

The Solution

The weblogin-auth-sdk supports a skipRequestAcsUrl option. When enabled, the SDK does not send the AssertionConsumerServiceURL in the SAML AuthnRequest.

Stanford's IdP supports this via the skipEndpointValidation feature. This allows the IdP to accept requests from any URL as long as the Entity ID matches and the request is signed with the registered certificate.

Configuration

1. Update lib/auth.ts

Enable the skipRequestAcsUrl option and ensure metadata signing is enabled.

lib/auth.ts
1
saml: {
2
  // ... other config
3
 
4
  // Enable signing of metadata (Required for this feature)
5
  signMetadata: true,
6
 
7
  // Enable skipping ACS URL validation
8
  skipRequestAcsUrl: process.env.WEBLOGIN_AUTH_SAML_SKIP_ACS_VALIDATION === 'true',
9
}

2. Environment Variables

Set this variable in your non-production environments (localhost, previews, staging).

.env.local
1
WEBLOGIN_AUTH_SAML_SKIP_ACS_VALIDATION="true"

3. IdP Registration (spdb.stanford.edu)

When registering your SP with SPDB, to enable skipEndpointValidation for your Entity ID. You must provide your metadata with a valid signing certificate.

Important Notes

  • Signed Metadata Required: The IdP verifies the signature on your metadata to trust dynamic ACS URLs.
  • Same Entity ID: All environments must use the same Entity ID registered with the IdP.
  • Same Certificates: All environments must use the same signing certificate registered with the IdP.