Haka's organization selection service (Discovery Service) is based on the Discovery Service Protocol specification (https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery .pdf). The protocol uses redirects in the browser, and redirects are a means of fishing for user data. To reduce the risk, the protocol defines a check for the used addresses, so that the selection service only directs to the desired destinations.
Setting the response address
In Haka's Resource Register, it is possible to enter "Discovery Response URL" values. The address to which the user will be redirected after selecting the organization should be entered here. Once the DS addresses have been set, redirection to the service is only possible to the addresses listed here.
Verifying the response address
The address used by the service (SP) , can be checked by starting the user's login in the service. The address is transmitted in the request to the DS service, which can be verified in the browser and compared with the information in the Resource Register and Haka metadata.
In the example, Haka's attribute test service https://firmitas.csc.fi/haka was used, from which the login was started. The message has been viewed using the Firefox SAML Tracer add-on.
If the address sent by the service is different from the one stated in the metadata, DS refuses to send the user back to the service and login is blocked.