Contrib.social

Can't get request to use HTTP-POST Binding

Open on Drupal.org β†’
Created on 22 February 2017, almost 8 years ago
Updated 2 May 2023, over 1 year ago

I am trying to create SSO with an IDP which only supports HTTP-POST Binding. Based on the request structure I see here https://www.samltool.com/generic_sso_req.php, the requests are not posting ast HTTP-POST Binding as I don't see the SignedInfo or certificate data in the request (when I walk though the module code with a debugger.).

I have already set the 'Name ID Format' to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST and have checked off all the sections in the Security section. What else and I missing?

Below is a sample request (urls changed) of what I have currently:

<samlp:AuthnRequest
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="ONELOGIN_1d3998bf5646997340f22b5fa1e229b6a605a5f6"
    Version="2.0"

    IssueInstant="2017-02-21T22:36:55Z"
    Destination="https://example.org/SAML/SSOService.aspx"
    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    AssertionConsumerServiceURL="http://spexample.com/saml/acs">
    <saml:Issuer>http://spexample.com/saml/metadata</saml:Issuer>
    <samlp:NameIDPolicy
        Format="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
        AllowCreate="true" />
    <samlp:RequestedAuthnContext Comparison="exact">
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
πŸ’¬ Support request
Status

Needs review

Version

1.3

Component

User interface

Created by

πŸ‡ΊπŸ‡ΈUnited States jdesrig

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago β†’
    πŸ‡«πŸ‡·France DeFr

    I also need to deal with an IdP than only supports POST requests, so I've been trying out this patch, which seems to work.

    This IdP requires the login requests to be signed too, so I was also very interested in the 

    $add_cert = $add_cert === 'FAKE' && !empty($library_config['httpPostBinding']) ? TRUE : $add_cert;

    hunk ; can't figure out though how you can end up with $library_config['httpPostBinding'] being set as is though, I guess you have another custom patch to set it ? That's what I did, and with all that, the communication with the IdP seems to work fine.

  • Comment 19 days ago β†’
    πŸ‡¨πŸ‡­Switzerland wengerk Lausanne

    Here is the rerolled patch for release 8.x-3.10.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024