Reputation: 1644
Configure POST ProtocolBinding in Spring Security SAML authentication request
Spring Security SAML insists on requesting the Artifact binding in the SAML authentication request (ProtocolBinding attribute):
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL = "http://sp.com/saml/SSO/alias/defaultAlias"
Destination = "https://idp.com/idp"
ForceAuthn = "false"
ID = "a4acj06d42fdc0d3494h859g3f7005c"
IsPassive = "false"
IssueInstant = "2012-12-05T17:07:18.271Z"
ProtocolBinding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Version = "2.0"
>
How can I configure POST binding instead? Thanks for any answers!
-- Andreas
Upvotes: 5
Views: 5475
Answers (3)
Reputation: 7295
In the securityContext.xml sp-initiated binding can be set. Example below used HTTP-POST
<bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
<property name="includeScoping" value="false"/>
<property name="binding" value="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
</bean>
Values of bindings can be found in org.opensaml.common.xml.SAMLConstants class.
Upvotes: 2
Reputation: 381
For anyone wanting to do it in Java rather than XML:
@Bean
public WebSSOProfileOptions profileOptions() {
WebSSOProfileOptions profileOptions = new WebSSOProfileOptions();
profileOptions.setIncludeScoping(false);
profileOptions.setBinding(SAMLConstants.SAML2_POST_BINDING_URI);
return profileOptions;
}
and:
@Bean
public MetadataGeneratorFilter metadataGeneratorFilter() {
return new MetadataGeneratorFilter(metadataGenerator());
}
public MetadataGenerator metadataGenerator() {
MetadataGenerator metadataGenerator = new MetadataGenerator();
metadataGenerator.setAssertionConsumerIndex(1);
// ...
return metadataGenerator;
}
Upvotes: 0
Reputation: 369
Thanks nobby and Sanjeev, I've recently applied this to a similar case and it put me on the right track.
Being very new to the Spring Security SAML2 extension, I had to do a little extra digging around to get the WebSSOProfileOptions applied. Essentially to get an HTTP-POST binding on the SAML authentication request you need the profile options passed to the org.springframework.security.saml.websso.WebSSOProfileImpl#sendAuthenticationRequest() method.
For our config, which is very similar to the config in the Spring RC2 sample project, this meant passing the WebSSOProfileOptions bean as described in Sanjeev's solution to the samlEntryPoint.defaultProfileOptions property (or adding a binding property there).
Trouble is, this did not result in the AuthnRequest picking up the binding property as set. In our case our SAML metadata was specifying isDefault=true on the HTTP-Artifact bound AssertionConsumerService. And in our RC2 version of the Spring Security SAML2 library this is the default behaviour of the org.springframework.security.saml.metadata.MetadataGenerator.
This can be overridden by setting the assertionConsumerIndex property of the MetadataGenerator. The HTTP Post assertion consumer gets configured at index 1 in our case.
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="assertionConsumerIndex" value="1" /><!-- 1=HTTP-POST -->
</bean>
</constructor-arg>
</bean>
Upvotes: 7
Related Questions
- SAML Http Request Intercept with Spring Boot
- How to send the request parameter in SAML like SAMLRequest
- Spring SAML: SAML message intended destination endpoint did not match recipient endpoint
- HTTP Status 401 - Authentication Failed: Error decoding incoming SAML message
- Spring Security SAML - HTTPS connections
- Spring Security SAML - how to configure client auth?
- Add request parameter to SAML request using Spring Security SAML
- how to get SAMLResponse from request
- SPRING SAML Authentication not working
- Spring Security SAML HTTP Post error with OpenAM