Request string not stored in SAML HTTP redirect binding

Question

Request string not stored in SAML HTTP redirect binding

We use Spring SAML Security Extension to implement SAML in our application. Now we have the following task:

One of our customers provides the URL of their identity provider, which contains the parameter. Metadata looks like this (abbreviated abbreviated):

<EntityDescriptor>
  <IDPSSODescriptor>
    <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        Location="https://idp.example.com/login?parameter=value"/>
  </IDPSSODescriptor>
</EntityDescriptor>

As you can see, there is a parameter called "parameter" with the value "value". This parameter is not in the generated redirect URL. I debugged a bit and found that I was SAMLProcessorImplgetting MessageEncoderfrom a binding (which is HTTPRedirectDeflateEncoderfor HTTP redirects) and delegates were encoding the message. The encoder, in turn, does the following in its method buildRedirectURL:

// endpointURL is https://idp.example.com/login?parameter=value here
URLBuilder urlBuilder = new URLBuilder(endpointURL);

List<Pair<String, String>> queryParams = urlBuilder.getQueryParams();
queryParams.clear(); // whoops

- .

?

+4

java spring-saml saml-2.0

musiKk 30 . '15 8:06

2

Vladimír Schäfer · Answer 1 · 2015-07-02T18:53:47+0000

SAML , . SAMLAuthnRequest, HTTP-Redirect, , , , IDP - .

SAML , relayState, - WebSSOProfileOptions Spring SAML.

, ( , , OpenSAML, ), , , , , .

musiKk · Answer 2 · 2015-07-02T09:06:34+0000

, HTTPRedirectDeflateEncoder, buildRedirectURL queryParams.clear(). URL- , SAML (, SigAlg ..), . Spring .

, .

Request string not stored in SAML HTTP redirect binding

More articles: