Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-17841

SPSSO HTTP-POST in standalone mode doesn't generate expected AuthnRequest

    XMLWordPrintable

    Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Not a defect
    • 6.5.3
    • None
    • SAML
    • Rank:
      1|i04mp2:

      Description

      Bug description

      When using SAML standalone mode for SP-initiatedĀ SSO using HTTP-POST, AM does not generate the expected AuthnRequest and instead sends the SAMLRequest (and other data) as query parameters in the same way HTTP-REDIRECT binding does. Federation log shows AM is using the HTTP-POST binding and does in fact submit the assertion using HTTP-POST but the initial authentication request doesn't behave as expected.

      How to reproduce the issue

      1. Setup two AMs (SP and IDP)
      2. Make SPSSO call and specify HTTP-POST binding e.g.Ā https://openam.example.com:8443/openam/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=https://idp.example.com:8445/openam&binding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
      Expected behaviour
      SAMLRequest and other data should be sent in the body of the request as it is when using the SAML module. If the AuthnRequest needs to be signed then the signature and signature algorithm etc. should be embedded in the AuthnRequest.
      Current behaviour
      The SAMLRequest is sent as a query parameter (and so is Signature and SigAlg if signing the request) in the same way it is when using HTTP-Redirect.

      Work around

      If AM is the SP, use the SAML module. Or use a different binding.

        Attachments

          Activity

            People

            Unassigned Unassigned
            aaron.haskins Aaron Haskins
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: