AspNetCore signinasync fails if AssertionConsumerServiceUrl does not contain hostname

Our application needs to be able to use multiple URLs for sign-in, which are not known on application startup.

To achieve this, I am trying to configure AssertionConsumerServiceUrl to be relative to the url used for logging in.

With AssertionConsumerServiceUrl set to “/auth/saml/assertionconsumerservice”, the user is redirected to my AssertionConsumerService action, SignInAsync is successfully called & the login is logged as successful.

The user is then redirected to the site homepage, but then the HttpContext.User’s claims are empty, so the user is thrown back to the login page as an unauthenticated user.

If I change my configuration to use a full url for AssertionConsumerServiceUrl (ie , I see the user’s Claims flow through correctly & the user is succesfully logged into the application.

I am wondering why the HttpContext.User’s claims are empty if AssertionConsumerServiceUrl does not contain the host name?

Is this a bug in the SAML library? Or is there a configuration I can change to enable this relative AssertionConsumerServiceUrl to work?

Currently absolute URLs are required.
The AssertionConsumerServiceUrl is included in the SAML authn request sent to the identity provider.
The identity provider will post the SAML response to this URL.
Please contact us at so we can discuss this further and make this available to you in a beta release.