0

Our current SAML setup has been working just fine with the more or less default setup provided by the library SimpleSAMLPHP. However, one new IDP specifically needs to bind to the SP via a POST binding.

It seems like SimpleSAMLPHP will always redirect to the IDP using a GET request, as can be clearly seen here for example:

SimpleSAMLPHP Challenge via GET

There also seems to be no distinct configuration setting which controls this.

We have tried to play with the NameID Policy settings with no success. The SP lists the following NameID Policy in their metadata:

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

Our own NameID Policy is as follows:

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Any tip here will really be highly appreciated

clops
  • 5,085
  • 6
  • 39
  • 53

1 Answers1

3

You want the IdP's metadata to have a urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST binding for SingleSignOnService and have that binding be listed first in the list of SingleSignOnService options supported. This is often in the file metadata/saml20-idp-remote.php. This is different from NameId and from the AssertionConsumerService SP bindings with the same binding name. Your SP will pick the first SingleSignOnService option listed for the IdP in the IdP's metadata.

$metadata['https://some.idp.co'] = array (
    'entityid' => 'https://some.idp.co',
    'metadata-set' => 'saml20-idp-remote',
    'SingleSignOnService' =>
        array (
            0 =>
                array (
                    'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
                    'Location' => 'https://some.idp.co/idp/profile/SAML2/POST/SSO',
                ),
            1 =>
                array (
                    'other options, etc'
                ),
        ),
Patrick
  • 3,901
  • 1
  • 25
  • 30
  • Binding is already there do we need to configure anything else to enable HTTP-POST. Right now simplesamlphp automatically detects HTTP-Redirect with GET method in my case – Gopal Joshi Nov 28 '18 at 05:34