AuthnRequest body via POST

[dog5tar]

Hi all,

After short code review (lib/Saml2/AuthnRequest.php & lib/Saml2/Auth.php), it looks like php-saml does not support HTTP-POST for request being send from SP to IdP when SSO is initialised.

Is that correct or I'm missing something?

If HTTP-POST is not supported for initial request:

• shouldn't we be worrying that IdP might respond with "Error 413: Request Entity too large"?
• what about infosec implications sending request via GET?

A bit more insight is much appreciated!

[pitbulk]

HTTP-POST is not supported for AuthNRequest, LogoutRequest and LogoutResponse.

shouldn't we be worrying that IdP might respond with "Error 413: Request Entity too large"?
Don't think so, you can always deflate the SAML message that will reduce the length.
Also take in mind that only the SSO SAMLResponse contains the SAML Assertion that is the element that can be very big.

If you review the XML template of AuthNRequest, LogoutRequest and LogoutResponse you will see that
its length is small.

what about infosec implications sending request via GET?

The data of those SAML messages is public (except the NameId that you can always encrypt).

That said, if you review Conformance Requirements for the OASIS Security Assertion Markup Language (SAML) V2.0 Page 9, you will see that all IdPs MUST support the HTTP-Redirect binding, so you should experience any issue with IdPs that follows the SAML standard rules.

[dog5tar]

Thanks @pitbulk for the insights, much appreciated!

Is it safe to assume that all other requests except AuthNRequest, LogoutRequest and LogoutResponse are HTTP-POST bindings?

[pitbulk]

SP ACS URL uses HTTP-POST, other SAML exchange is expected to be HTTP-Redirect.

[FrittenKeeZ]

@pitbulk how big a task would it be to support HTTP-POST?
We're facing a requirement that we must also support HTTP-POST bindings for logout, so we will help sponsor this feature - I just don't quite know where to begin.

[pitbulk]

@FrittenKeeZ there is no interest in support that because that will increase the complexity of the toolkit (code and settings) and the main goal of the toolkit is to keep it simple.

If you require it in a project, you can use simpleSAMLphp which support any binding.

The task is big:

• Support send HTTP-POST binding for AuthNRequest, Logout Request and LogoutResponse
  including the signing process.
• Support receive HTTP-POST binding for Logout Request and LogoutResponse
  including validating sign.
• Extend toolkit to support the different bindings: Settings, Metadata, flows.

[FrittenKeeZ]

@pitbulk it was all a matter of using the correct settings to get it working, so no need to implement HTTP-POST bindings anyway.

[dsantuc]

@pitbulk I'm implementing a SAML SP SSO integration for the first time and was also wondering if the IdP could require me to submit the AuthNRequest using the HTTP-POST binding, so it's good to know that the spec requires IdPs to support the redirect binding for this request.

That said, it seems from reviewing the code, that you could do it if necessary by doing something like this:

<?php
use \OneLogin\Saml2\AuthnRequest;
use \OneLogin\Saml2\Settings;

$settings = new Settings();
$idpSettings = $settings->getIdPData();
$endpoint = $idpSettings['singleSignOnService']['url'];
$request = new AuthnRequest($settings);
$payload = base64_encode($request->getXML());
$redirect = "/dashboard";
?>

<html>
<body onload="document.forms[0].submit()">
<form action="<?php echo $endpoint; ?>" method="POST">
<input type="hidden" name="SAMLRequest" value="<?php echo $payload; ?>" />
<input type="hidden" name="RelayState" value="<?php echo $redirect; ?>" />

<!-- maybe other parameters for the signature, if required? -->

<input type="submit" value="Log me in!" />
</form>
</body>
</html>

(This is assuming the IdP doesn't require a signed request.)

Would that work?

[pitbulk]

That will work if the IdP does not require signed AuthNRequests.

Also check: #422