I’ve been using the product for a while now in my IDP with supporting HTTP-REDIRECT. Just recently I’ve had two new SP connection requests from companies that only support HTTP-POST. I see how to do this as a service provider, but how can I support it being the IDP using ComponentSpace?
Edit: It looks like there’s a SAMLIdentifiers.BindingURIs.HTTPRedirect and HTTPPost. But what if I need to support both?
The best option is to use the configuration based SAML high-level API as this automatically handles both bindings.
If you’re using the SAML low-level API, your SSO service endpoint should first check whether the HTTP request is a Get or Post.
If it’s a Get then process it as you currently do (eg HTTPRedirectBinding.ReceiveRequest).
If it’s a Post then call HTTPPostBinding.ReceiveRequest.
[quote][/quote]
The best option is to use the configuration based SAML high-level API
I am using the high level API... So you're saying it should be working then? This company is stating that since I don't have "HTTP-POST" in my IDP metadata that it's causing it to break... I'm still waiting for credentials to try it out myself. But it's making me think something is wrong with two HTTP-POST SPs that are getting set up right now are claiming issues.
Yes. When you call SAMLIdentityProvider.ReceiveSSO it will receive the SAML authn request using either the HTTP-Redirect or HTTP-Post binding.
You don’t have to do anything to make this happen.
You might have to update your SAML metadata to specify both bindings for your single sign-on service as it sound like this might be causing issues for these SPs.
For example:
<md:SingleSignOnService Binding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect” Location=“”>https://localhost:44313/SAML/SingleSignOnService"/>
<md:SingleSignOnService Binding=“urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=“”>https://localhost:44313/SAML/SingleSignOnService"/>
[quote][/quote]
Yes. When you call SAMLIdentityProvider.ReceiveSSO it will receive the SAML authn request using either the HTTP-Redirect or HTTP-Post binding.
You don't have to do anything to make this happen.
You might have to update your SAML metadata to specify both bindings for your single sign-on service as it sound like this might be causing issues for these SPs.
For example:
"="">">https://localhost:44313/SAML/SingleSignOnService"/>
"="">">https://localhost:44313/SAML/SingleSignOnService"/>
You don't have to do anything to make this happen.
You might have to update your SAML metadata to specify both bindings for your single sign-on service as it sound like this might be causing issues for these SPs.
For example:
"="">">https://localhost:44313/SAML/SingleSignOnService"/>
"="">">https://localhost:44313/SAML/SingleSignOnService"/>
Ok, that makes sense. Thanks! I'll try that.
One last question, I'm programmatically adding in this information would this be appropriate to do?
EndpointType singleSignOnService = null;
try
{
singleSignOnService = new EndpointType(SAMLIdentifiers.BindingURIs.HTTPRedirect, GetConfig.getString("LocalSSOProviderName") + "/SSO/SSOService", null);
}
catch (Exception)
{
throw new Exception("CIED Unable to create SSO REDIRECT service to endpoint.");
}
try
{
singleSignOnService = new EndpointType(SAMLIdentifiers.BindingURIs.HTTPPost, GetConfig.getString("LocalSSOProviderName") + "/SSO/SSOService", null);
}
catch (Exception)
{
throw new Exception("CIED Unable to create SSO POST service to endpoint.");
}
try
{
singleSignOnService = new EndpointType(SAMLIdentifiers.BindingURIs.HTTPRedirect, GetConfig.getString("LocalSSOProviderName") + "/SSO/SSOService", null);
}
catch (Exception)
{
throw new Exception("CIED Unable to create SSO REDIRECT service to endpoint.");
}
try
{
singleSignOnService = new EndpointType(SAMLIdentifiers.BindingURIs.HTTPPost, GetConfig.getString("LocalSSOProviderName") + "/SSO/SSOService", null);
}
catch (Exception)
{
throw new Exception("CIED Unable to create SSO POST service to endpoint.");
}
Yes, although presumably you want to add both bindings (HTTP-Redirect and HTTP-Post) for this endpoint.
[quote]
[/quote]
Would the above code add in both or do I need to do something different?
I’m not sure what the rest of the code does but your code looks like it’s creating one singleSignOnService EndPointType.
Wouldn’t you want to create two?
EndpointType singleSignOnServiceRedirect = null;
EndpointType singleSignOnServicePost = null;
try
{
singleSignOnServiceRedirect = new EndpointType(SAMLIdentifiers.BindingURIs.HTTPRedirect, GetConfig.getString(“LocalSSOProviderName”) + “/SSO/SSOService”, null);
}
catch (Exception)
{
throw new Exception(“CIED Unable to create SSO REDIRECT service to endpoint.”);
}
try
{
singleSignOnServicePost = new EndpointType(SAMLIdentifiers.BindingURIs.HTTPPost, GetConfig.getString(“LocalSSOProviderName”) + “/SSO/SSOService”, null);
}
catch (Exception)
{
throw new Exception(“CIED Unable to create SSO POST service to endpoint.”);
}
// Add the two endpoints to the metadata - not shown