Hi all,
I have 2 ASP.NET MVC sites. One is the SP. The other is the IdP. I would like to set out a couple of custom HTTP Headers in the SSO Request to the IdP site.
The SP site is using HTTP-Post binding for the configuration of SingleSignOnServiceBinding, “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”.
The SP is doing:
SnippetResponse.AddHeader(“CustomHttpHeaderKey”, “value”);
SAMLServiceProvider.InitiateSSO(Response, relayStateAsReturnUrl, partnerIdPName);
The header is successfully added to the Repose Headers collection.
On the IdP site, I cannot see the header entry in the Request object.
Is ComponentSpace supporting custom HTTP Header along the SP Initiated SSO Post Request
Remember that communications between the service provider and identity provider is via the browser.
When you send a SAML authn request via HTTP Post to the identity provider, the following occurs.
1. An HTTP response is returned to the browser containing an HTML form. This form includes the encoded SAML message.
2. A small section of JavaScript included in the response is executed by the browser to submit the HTML form to the identity provider.
3. This results in an HTTP Post request being sent by the browser to the identity provider.
If you add a custom header as you’ve done, this will be returned in the HTTP response to the browser.
The browser won’t then include this header in the HTTP request it sends to the identity provider.
If you use something like Fiddler to capture the HTTP traffic you’ll see what I mean.
What type of information do you wish to send to the identity provider?
I’m just wondering if there’s another way to do this.
[quote][/quote]
Remember that communications between the service provider and identity provider is via the browser.
When you send a SAML authn request via HTTP Post to the identity provider, the following occurs.
1. An HTTP response is returned to the browser containing an HTML form. This form includes the encoded SAML message.
2. A small section of JavaScript included in the response is executed by the browser to submit the HTML form to the identity provider.
3. This results in an HTTP Post request being sent by the browser to the identity provider.
If you add a custom header as you've done, this will be returned in the HTTP response to the browser.
The browser won't then include this header in the HTTP request it sends to the identity provider.
If you use something like Fiddler to capture the HTTP traffic you'll see what I mean.
What type of information do you wish to send to the identity provider?
I'm just wondering if there's another way to do this.
When you send a SAML authn request via HTTP Post to the identity provider, the following occurs.
1. An HTTP response is returned to the browser containing an HTML form. This form includes the encoded SAML message.
2. A small section of JavaScript included in the response is executed by the browser to submit the HTML form to the identity provider.
3. This results in an HTTP Post request being sent by the browser to the identity provider.
If you add a custom header as you've done, this will be returned in the HTTP response to the browser.
The browser won't then include this header in the HTTP request it sends to the identity provider.
If you use something like Fiddler to capture the HTTP traffic you'll see what I mean.
What type of information do you wish to send to the identity provider?
I'm just wondering if there's another way to do this.
Thank you very much for the quick reply.
We are trying to send the some additional information about the SP. Sorry, we cannot say what but you can think it is a string value.
For the the javascript section, is there a way to customize it to add the header in the Post?
Could you add the additional information as a query string parameter?
If the additional information is dynamic and cannot be included in the SAML configuration as part of the SingleSignOnServiceUrl, you can call the SAMLServiceProvider.InitiateSSO overload that takes the singleSignOnServiceUrl as a parameter.
The HTML including JavaScript used as part of the HTTP-Post binding may be updated using the ComponentSpace.SAML2.Bindings.HTTPPostBinding.HTMLFormTemplate property.
However, I feel that using a query string parameter rather than an HTTP header is a better approach.
[quote][/quote]
Could you add the additional information as a query string parameter?
If the additional information is dynamic and cannot be included in the SAML configuration as part of the SingleSignOnServiceUrl, you can call the SAMLServiceProvider.InitiateSSO overload that takes the singleSignOnServiceUrl as a parameter.
The HTML including JavaScript used as part of the HTTP-Post binding may be updated using the ComponentSpace.SAML2.Bindings.HTTPPostBinding.HTMLFormTemplate property.
However, I feel that using a query string parameter rather than an HTTP header is a better approach.
If the additional information is dynamic and cannot be included in the SAML configuration as part of the SingleSignOnServiceUrl, you can call the SAMLServiceProvider.InitiateSSO overload that takes the singleSignOnServiceUrl as a parameter.
The HTML including JavaScript used as part of the HTTP-Post binding may be updated using the ComponentSpace.SAML2.Bindings.HTTPPostBinding.HTMLFormTemplate property.
However, I feel that using a query string parameter rather than an HTTP header is a better approach.
Thank you very much for your insight. I am able to update the ComponentSpace.SAML2.Bindings.HTTPPostBinding.HTMLFormTemplate property to send the information I need to IdP through HTTP -Post binding.
I have not tried to override the singleSignOnServiceUrl parameter in SAMLServiceProvider.InitiateSSO. However I believe it will work.
Thanks for the update.