Sending response by HTTP Redirect Binding

I have an IdP that I have created using your component. Initally I had hard coded the entire workflow (either IdP or SP iniitated) to use the HTTP POST binding and everything works fine.
I now have to support the HTTP request binding and am struggling to understand the Oasis specification document, and the componentspace example code never seems to send the response back to the SP with anything other than POST or artifact binding (even if the original AuthNRequest is received via redirection).

I need to understand why this doesn’t exist in your example code, and if the componentspace assemblies can assist me in making a well-formatted response using HTTP redirection?


Hi Neil
We support all the SAML bindings including HTTP-Redirect.
However, the SAML specification doesn’t support all SAML message types being sent using all SAML bindings.
The SAML authn request sent by a SP may be sent using HTTP-Redirect.
The SAML response sent by an IdP cannot be sent using HTTP-Redirect.
The reason for this is that SAML responses are generally larger than authn requests and the subsequent HTTP-Redirect query string parameter may be too long for some browsers.
Just to reiterate, this is a restriction imposed by the SAML specification.


Thanks for the quick response.
Could you point me to the specification where it states that the response can not be sent with HTTP redirect?

I’m looking at (specifically the section 3.4.5 Message Exchange) and the sequence diagram shows (in step 4) the responder returning a SAML response to the requester via a HTTP redirect.

The URL length restriction is something I was immediately concerned about, so it makes logical sense that redirection could fail with a large assertion response.

Section 3.4.5 of the bindings specification may be referring to SAML responses in a more general sense (eg a SAML logout response).
If you take a look at Table 1 in section 2 of you’ll see that a SAML response, as part of the Web SSO profile, can be sent using HTTP-Post or HTTP-Artifact.

Perfect! Thanks for clarifying, that helps a lot! :slight_smile:

You’re welcome.