SAML with path param callback type results in 414 Request-URI Too Large

[Tomi Karlstedt]

Hello,

We tried configuring our CAS 7 as SAML service provider with cas.authn.pac4j.saml[0].callback-url-type set to PATH_PARAMETER. We do this since one of our IDPs seems to be picky about query parameters. As far as I can tell, configuring CAS like this creates a new callback endpoint like /cas/login/{client_name} and this endpoint just redirects SAML responses to /cas/login?client_name={client_name}. 

However, our problem is that the redirect request is of course a GET request which means the SAML response moves from the original POST request body to a query parameter. Our SAML responses are signed so they are quite long and we are now hitting AWS ELB request URL character limit with the redirect.

Any ideas what could we do if we have to use PATH_PARAMETER type callback URLs?

Tomi

[Ray Bon]

Tomi,

Perhaps this config:

cas.authn.pac4j.saml[0].destination-binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

default value is urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

Ray

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Tomi Karlstedt <tok...@reaktor.fi>
Sent: May 7, 2025 00:42
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] SAML with path param callback type results in 414 Request-URI Too Large

 

You don't often get email from tok...@reaktor.fi. Learn why this is important

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ed067915-0c4e-4fe3-abe8-cd06e3627aa3n%40apereo.org.