I am puzzled by the occurrence of these two fields in an AuthNRequest. At the
minimum there appears to be some redundancy here: Why isn't it always enough
AssertionConsumerURL to the right value?
Turning to the description of AssertionConsumerServiceIndex in core, the
sentence "It applies only to profiles in which the request issuer is different
from the presenter" confuses me even further. Does this mean that the Web SSO
profile does not use this attribute? At the same time there is a reference to
AssertionConsumerServiceIndex within the SSO profile (lines 490). Perhaps the
above sentence should be deleted? Obviously, profiles that mandate use of
this index will do so explicitly and there is no need to discuss it
preemptively in core.