Using HTTP redirect binding to read a SAML Response
Bruno Harbulot
I would like to use simpleSAMLphp in an SP. The authn responses I get
from my IdP are small enough to fit in the URL. Thus, it's possible to
use the HTTP redirect binding.
I've noticed that, currently, simpleSAMLphp only supports the HTTP POST
binding for reading responses. I've managed to get it to work with HTTP
GET/redirect with minor modifications to the code.
I'm attaching the patch corresponding to the changes I've made if you're
interested. If you feel this is appropriate, it would be good to see
this feature in the main code base (whether-or-not based on this
particular patch).
Best wishes,
Bruno.
Olav Morken
A problem with supporting the HTTP-Redirect binding for authentication
responses is that the HTTP-Redirect binding requires that the
Signature-element in the response is removed, and replaced with two
query parameters: SigAlg and Signature.
To properly handle a authn response with the HTTP-Redirect binding,
one would therefore have to (1) validate the signature on the
HTTP-Redirect message, and (2) in some way communicate to the
AuthnResponse class that the message is already signed.
(1) is already supported by simpleSAMLphp for other HTTP-Redirect
messages, and should therefore be relatively simple to add.
(2) would require more work, as the AuthnResponse class currently
expects to find a Signature element in the message.
Note that I'm not against this change - I only think that if we should
add support for this, it should be done in a more standards-compliant
way.
--
Olav Morken
Bruno Harbulot
Thanks. You're right. I got around this problem in my use-case by
signing the assertion contained in the AuthnResponse, rather than the
AuthnResponse itself.
I'll try to look further into this.
Best wishes,
Bruno.