The following is an excerpt from the SAML2 standard about message exchange using the HTTP Redirect binding:
3.4.4 Message Encoding
Messages are encoded for use with this binding using a URL encoding technique, and transmitted using the HTTP GET method.
Still, OpenAM accepts POST requests on the service URL for the HTTP Redirect binding. The request binding is then deduced from the employed HTTP method (e.g. idpSSOFederate.jsp:81-83), and the request is handled accordingly.
This leads to subsequent problems. For instance, destination verification fails, because destination is deduced from request binding (see UtilProxySAMLAuthenticator.java:194-200, String ssoURL).
Reject requests to SSO service URL for HTTP Redirect binding using other methods than GET with error 405 Method Not Allowed.