SSO HTTP-POST Binding not supported?

[Tyler Shen]

I have been getting the exception below which, through my web research, was a result of HTTP-POST binding not supported for AuthnRequest. 
Is there anyway around this issue as our IDP only supports HTTP-POST for Single SignOn and LogOut? Thanks!


Exception during login:
-------------------------------------------------------------
Exception: saml20-idp-remote/'https://idp.example.com/UserAuthentication/v4.0'['SingleSignOnService']:Could not find a supported SingleSignOnService endpoint.
Backtrace:
8 /var/simplesamlphp/lib/SimpleSAML/Configuration.php:1005 (SimpleSAML_Configuration::getDefaultEndpoint)
7 /var/simplesamlphp/modules/saml/lib/Message.php:420 (sspmod_saml_Message::buildAuthnRequest)
6 /var/simplesamlphp/modules/saml/lib/Auth/Source/SP.php:187 (sspmod_saml_Auth_Source_SP::startSSO2)
5 /var/simplesamlphp/modules/saml/lib/Auth/Source/SP.php:301 (sspmod_saml_Auth_Source_SP::startSSO)
4 /var/simplesamlphp/modules/saml/lib/Auth/Source/SP.php:371 (sspmod_saml_Auth_Source_SP::authenticate)
3 /var/simplesamlphp/lib/SimpleSAML/Auth/Default.php:58 (SimpleSAML_Auth_Default::initLogin)
2 /var/simplesamlphp/lib/SimpleSAML/Auth/Simple.php:137 (SimpleSAML_Auth_Simple::login)
1 /var/simplesamlphp/modules/core/www/authenticate.php:45 (require)
0 /var/simplesamlphp/www/module.php:135 (N/A)


My saml20-idp-remote.php config:
------------------------------------------------------------
'SingleSignOnService' => 
  array (
    0 => 
    array (
      'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
      'Location' => 'https://idp.example.com/S001v4.0/authenticate',
    ),
  ),



Tyler

[Brenda Thompson]

I made the change in SP.php to change the binding in startSSO2 based on this comment:  https://groups.google.com/forum/?fromgroups#!topic/simplesamlphp/7sTsuoVsEA0  and I got the similar error you are seeing afterwards. I made this change in buildAuthnRequest. It seems to work.

 

·         modules/saml/lib/Message.php   - Common code for building a SAML2 message based on the available metadata. In buildAuthnRequest function it looks for an IdP endpoint based on an array of supported binding choices. The only choice was Redirect. I added POST as a choice to the array.

Others may know a more elegant way to do it.

 

Our IdPs support redirect on logout, so there may be more to do for SLO.

--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/groups/opt_out.

[Jaime Pérez Crespo]

Hi,

HTTP-POST binding was not supported until revision r3257. If you want to be able to use it, you'll need to use the latest version from the trunk (which obviously is not the stable one).

Have a nice weekend,

--

Jaime Pérez

UNINETT / Feide

mail: jaime...@uninett.no

xmpp: ja...@jabber.uninett.no

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost

[Brenda Thompson]

Much nicer than my hack.

I ported it over to my version (1.10)

--

[Jaime Pérez Crespo]

Hi Brenda,

On Aug 9, 2013, at 21:58 PM, Brenda Thompson <brenda....@azukisystems.com> wrote:

Much nicer than my hack.

I ported it over to my version (1.10)

You should really be using the latest stable version (1.11 right now). I don't think it would be difficult to patch, if you want to have support for HTTP-POST and don't want to wait until the next stable release is out, but in any case you should update to get rid of bugs and other problems that you might face using 1.10.