Should we use any compression techniques like Deflater to <AuthnRequest> in SAML.?

StackOverflow https://stackoverflow.com/questions/21576482

Question

I am trying to generate the in SP side using OPENSAML-java in saml

While on the process noticed that Limitations Of URL Length.

So Is it mandatory to use any compression technique to SAML message ,Before I am sending it to TestIdP.?

If we use any compression technique , How can the IdP will know that that SP has used this compression technique to de-compress the Request message.?

Is there any provision in the metadata for this?

Sample codes are appreciated.Thank you.

Was it helpful?

Solution

As Wiki states:

SAML protocol messages are often carried directly in the URL query string of an HTTP GET request. Since the length of URLs is limited in practice, the HTTP Redirect binding is suitable for short messages, such as the message. Longer messages (e.g., those containing signed SAML assertions) should be transmitted via other bindings such as the HTTP POST Binding.

SAML requests or responses transmitted via HTTP Redirect have a SAMLRequest or SAMLResponse query string parameter, respectively. Before it’s sent, the message is deflated, base64-encoded, and URL-encoded, in that order. Upon receipt, the process is reversed to recover the original message.

the HTTP GET example is less than 600 characters long:

https://idp.example.org/SAML2/SSO/Redirect?SAMLRequest=fZFfa8IwFMXfBb9DyXvaJtZ1BqsURRC2Mabbw95ivc5Am3TJrXPffmmLY3%2FA15Pzuyf33On8XJXBCaxTRmeEhTEJQBdmr%2FRbRp63K3pL5rPhYOpkVdYib%2FCon%2BC9AYfDQRB4WDvRvWWksVoY6ZQTWlbgBBZik9%2FfCR7GorYGTWFK8pu6DknnwKL%2FWEetlxmR8sBHbHJDWZqOKGdsRJM0kfQAjCUJ43KX8s78ctnIz%2Blp5xpYa4dSo1fjOKGM03i8jSeCMzGevHa2%2FBK5MNo1FdgN2JMqPLmHc0b6WTmiVbsGoTf5qv66Zq2t60x0wXZ2RKydiCJXh3CWVV1CWJgqanfl0%2Bin8xutxYOvZL18NKUqPlvZR5el%2BVhYkAgZQdsA6fWVsZXE63W2itrTQ2cVaKV2CjSSqL1v9P%2FAXv4C

If you are using HTTP POST, the parameters of the Request go to the body. So no problem at all.

But you should really check, if the message SAMLRequest is not too long.

Security Note: Since with HTTP GET the whole Request and its parameters get logged in any http access log, you should really use POST.

OTHER TIPS

The Saml2 Http Redirect binding explicitly requires the data to be first deflated, then base64-encoded and finally URL-encoded. As it is required by the specification the Idp will expect that a Saml2Request query string parameter is prepared in that way.

As far as I've understood is common to use Http Redirect binding for sending the AuthnRequest to the Idp, while the response is always handled with Http Post since it will be too large for a query string.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top