We are building a website using SSO, we are on the SP side and don't have control over the IdP. We will have multiple environment including local development servers.
The thing is the AssertionConsumerServiceURL will not be accessible by the outside world (it would be something like 127.0.0.1/xyz) and I was told that it was a problem because the IdP needed to make a POST request to that server.
However for what I understood of the "double post" method, only the user needs to be able to access the SP and there is no direct communication between the SP and IdP (since the user is the relay).
Could you please indicate if the IdP needs to access the SP "AssertionConsumerServiceURL" directly ? If so, how should local development environment be handled ?
The ACS URL will need to be accessible to the user of the SP for browser based SSO (for both Redirect and POST bindings). As long as you have credentials for the IdP (unlikely in many situations, unless you control both sides), and can test end-to-end on your own (e.g., your company's "test harness"), then you will need to make the ACS URL/SP Application available to the user.