Hello,
I am using ForgeRock AM as the Identity Provider with an ASP.NET Webforms application as the Service Provider. I am doing an SP initiated SSO.
The webform application (SP) and IDP are running on HTTP. I have specified the AssertionConsumerServiceUrl in saml.config as HTTP. However, when initiating the SSO, the SAML request has the AssertionConsumerServiceUrl as HTTPS. Do you know why it is being switched to HTTPS even though the SAML.config is has the AssertionConsumerServiceUrl set as HTTP? Please note that it uses HTTP when doing an IDP initiated SSO, which works fine.
<samlp:AuthnRequest ID=“_d5b6b743-40fc-42ef-9ba8-1c7219d62356” Version=“2.0” IssueInstant=“2022-03-01T21:01:40.138Z” Destination=“<a href=“http://openam.example.com:8080/openam/SSORedirect/metaAlias/idp” “=””><a href=“http://openam.example.com:8080/openam/SSORedirect/metaAlias/idp”“>http://openam.example.com:8080/openam/SSORedirect/metaAlias/idp” ForceAuthn=“false” IsPassive=“false” ProtocolBinding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” AssertionConsumerServiceURL=“https://openam.example.com/Niad/SAML/AssertionConsumerService.aspx” xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”><saml:Issuer xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”><a href="http://NiadServiceProvider</saml:Issuer>samlp:NameIDPolicy"http://NiadServiceProvider</saml:Issuer><samlp:NameIDPolicy Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified” AllowCreate=“true” /></samlp:AuthnRequest>, relayState=
See attached SAML Trace.
In earlier releases we forced the switch to HTTPS.
HTTPS is required as the SAML_SessionID cookie we use in support of the SAML protocol must be set as Secure and SameSite=None.
HTTP happens to work for IdP-initiated SSO as no previous state information (ie the SAML_SessionID cookie) is required.
It’s strongly recommended you use HTTPS in all environments including production, test and development.