Reputation: 85
MetadataGenerator of Spring Security SAML doesn't support redirect binding for Assertion consumer service
HTTP_Redirect binding is not supported for Assertion Consumer Service in MetadataGenerator.
When you check for source code of org.springframework.security.saml.metadata.MetadataGenerator.java you find following comment in buildSPSSODescriptor method.
// Assertion consumer MUST NOT be used with HTTP Redirect, Profiles 424, same applies to HoK profile
Can anyone let me know, why is it, as we had an IdP asking for ACS URL with redirect binding.
Upvotes: 1
Views: 1078
Answers (1)
Reputation: 15533
As you can see in the comment, SAML 2.0 standard explicitly prohibits usage of HTTP-Redirect for delivery of SAML assertions. Spring SAML follows this.
The Profile 424 refers to this document http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
Your IDP may not be fully aware of the standard's requirements.
Upvotes: 3
Related Questions
- Spring SAML - Handling Assertions
- SAML2 metadata endpoint in Spring Security 5.4.0-RC1 not enabled by default
- Spring Security 5.2+ Saml Metadata
- Spring SAML: SAML message intended destination endpoint did not match recipient endpoint
- SAML2 - Response doesn't have any valid assertion which would pass subject validation
- Spring Security SAML SSO redirect to controller
- How to configure Spring SAML to send "assertionConsumerServiceIndex" instead of "assertionConsumerServiceUrl"?
- Spring SAML - support for customized SAML Assertion
- Spring saml redirects the request to http
- Spring Security SAML Metadata URL on Tomcat